by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to do what it says — it stores and retrieves 'memories' on zellin.ai and auto-configures your OpenClaw skill entry. Before installing or running the signup flow: 1) Prefer manual setup if you want full control: sign up at zellin.ai and set SPARK_API_KEY / SPARK_ORG_ID yourself rather than entering an account password into the script. 2) If you use the interactive signup, use a dedicated email/password (do not reuse high-value passwords). 3) Review zellin.ai's privacy policy an...详细分析 ▾
✓ 用途与能力
Name/description, required env vars (SPARK_API_KEY, SPARK_ORG_ID), and the scripts all point to a single external service (https://zellin.ai). The binaries requested (curl, python3) are necessary to make HTTP calls and construct JSON, and the declared config path (skills.entries.spark-memory) matches the install/writing behavior in scripts.
ℹ 指令范围
SKILL.md explicitly instructs the agent to run included scripts for signup, recording, recalling, and morning-insights; those scripts only call the Spark API and modify the OpenClaw skill config. This stays within the memory/integration scope, but the signup flow asks the user for an email and password and then POSTs those credentials to zellin.ai, stores API credentials into the local OpenClaw config, and attempts to restart the gateway — side effects that are functional for the feature but worth user consent and understanding.
✓ 安装机制
No remote download/install or archive extraction is present; the skill is instruction- and script-based and relies on local shell scripts and existing tools (curl/python3). This is lower risk than fetching arbitrary code from an external URL.
✓ 凭证需求
Only SPARK_API_KEY and SPARK_ORG_ID are required and declared (primaryEnv set to SPARK_API_KEY). These map directly to the external service used. No unrelated secrets or broad system credentials are requested.
ℹ 持久化与权限
always:false (not force-installed). The skill runs scripts that can write to your OpenClaw config (~/.openclaw/openclaw.json) and restart the gateway; that behavior is consistent with auto-configuration but elevates local side-effect risk (config modification + restart). The skill is allowed to be invoked autonomously by default (disable-model-invocation:false), which combined with network access means it could autonomously send recorded memories to the external service — appropriate for its purpose but something to be aware of.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.3.72026/3/24
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install spark-memory
镜像加速npx clawhub@latest install spark-memory --registry https://cn.longxiaskill.com