by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill mostly implements what it says (storing, searching, compressing memory files) but has several red flags you should resolve before installing or running it: 1) Do not trust the hardcoded BILLING_API_KEY in payment.py — it is sensitive and could indicate accidental key leakage or malicious use. Ask the publisher to remove the embedded key and require a configurable secret (and to document which env vars are required). 2) Clarify how billing is enforced: which scripts call payment.py, wh...详细分析 ▾
⚠ 用途与能力
Most code files (memory_store, memory_search, memory_compressor) implement the described long-term memory functionality and use a workspace directory for storage, which is coherent. However the bundle also contains a SkillPay billing module (payment.py) and _meta.json declares payment env variables while the registry summary earlier listed none — requiring a billing integration is not inherently inconsistent but the way it's implemented (hardcoded API key) is unexpected and disproportionate for a pure memory helper. SKILL.md references tools (memory_organizer.py, memory_sync.py) that are not present in the package, which is an inconsistency.
⚠ 指令范围
SKILL.md stays mostly in-scope (how to store/search/compress memory files) and gives CLI usage examples. But it advertises a per-call charge and asks users to ensure balance without explaining how payment is enforced at runtime. The included payment.py can enforce payment, yet none of the memory scripts import or call it, so it's unclear when/where payments are checked. SKILL.md also references components that are missing from the package, granting the skill unclear runtime behavior.
ℹ 安装机制
There is no external install step (instruction-only with included scripts), so nothing is downloaded at install time. That lowers supply-chain risk. However, the package contains executable scripts that will read and write files under /root/.openclaw/workspace when run; inspecting and executing those scripts locally can perform filesystem changes.
⚠ 凭证需求
_meta.json claims SkillPay integration and names SKILLPAY_API_KEY and SKILLPAY_USER_ID environment variables, but the registry metadata at the top declared no required env vars — a mismatch. payment.py in fact uses an environment variable SKILLPAY_USER_ID but also contains a hardcoded BILLING_API_KEY secret literal in the source. Hardcoded credentials are unexpected and excessive for a memory-management skill and pose an exfiltration / misuse risk.
ℹ 持久化与权限
The skill does not request always:true and is user-invocable; it is allowed to be invoked autonomously (normal). It creates and modifies files under a workspace directory (default /root/.openclaw/workspace) which is typical for a persistence-oriented skill, but you should confirm that path is appropriate on your host. The skill does not appear to modify other skills or system-wide configurations.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2025.4.152026/3/27
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install shenmeng-long-term-memory
镜像加速npx clawhub@latest install shenmeng-long-term-memory --registry https://cn.longxiaskill.com