by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This package looks like an unfinished or poorly packaged skill rather than outright malicious code, but there are multiple red flags you should address before installing: (1) Missing implementations — many scripts referenced in index.js/package.json are not present, so commands will fail. (2) Inconsistent model settings — vector dimensionality differs between files (1024 vs 384); verify the correct model and dims before indexing. (3) Undeclared credentials — SKILL.md asks for an Edgefn API key b...详细分析 ▾
⚠ 用途与能力
The SKILL.md and config claim integration with Edgefn (BAAI/bge-m3 and bge-reranker) and many runtime commands, but the repository does not include most referenced script files (e.g., loader, searcher, enhancer, retriever, integrator, monitor, optimizer, backup, restore, cleaner). package.json and SKILL.md advertise many commands/features that cannot run because those implementations are missing. Additionally, model vector dimensionality is inconsistent across files: SKILL.md and config mention 1024 dimensions while init.js (initial index) and CHANGELOG.md reference 384 — a clear mismatch.
⚠ 指令范围
SKILL.md instructs altering OpenClaw configuration (adding Edgefn model provider and context compression settings) and copying the skill into ~/.openclaw/skills/. The init script writes config and initial index into ~/.openclaw/workspace, but there is no code that actually modifies OpenClaw's central config or 'auto-applies' the advertised global settings. The docs also ask the user to provide an Edgefn API key, but the skill metadata declares no required environment variables — a gap between instructions and declared runtime requirements.
⚠ 安装机制
There is no formal install spec in the registry entry (instruction-only), but the package contains code and package.json lists clawhub install_hook and uninstall_hook pointing to scripts/install.js and scripts/uninstall.js which are not present. That means automated install hooks are referenced but missing. The installation instructions in SKILL.md rely on cloning or clawhub; with missing scripts and hooks the install may be incomplete or fail.
⚠ 凭证需求
SKILL.md explicitly requires an 'Edgefn API 密钥' for the embedding and reranker models, but the skill metadata declares no required environment variables or primary credential. Requesting an API key for a model provider is expected for this functionality, but the omission from metadata is a discrepancy that can hide the need to supply sensitive credentials. Also the skill references networked model providers (edgefn, qwen-portal) in config, which justifies credential needs but those needs are not declared formally.
ℹ 持久化与权限
The skill does not request 'always: true' and uses normal user-level paths under the user's home (~/.openclaw/...). The init script creates directories and copies config into ~/.openclaw/workspace/config — this is consistent with an ordinary skill installing itself into the user's OpenClaw workspace. However SKILL.md's language implying automatic application of global OpenClaw settings is stronger than the actual code (which only writes files to the workspace), so verify what will be changed before proceeding.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/7
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install smart-memory-system
镜像加速npx clawhub@latest install smart-memory-system --registry https://cn.longxiaskill.com