sense-memory Security Report — Trusted | ClawSafe

5 /100

sense-memory

Sovereign persistence for AI agents — encrypted key-value memories and journal entries on Nostr relays

The sense-memory skill is a legitimate Nostr-based encrypted memory store. It declares pip as a required binary, relies on published PyPI packages, and has no hidden functionality, obfuscation, or credential exfiltration.

Skill Namesense-memory

Duration36.3s

Enginepi

✓

Safe to install

Approve for use. The skill is straightforward and well-documented.

Findings 1 items

Severity	Finding	Location
Low	External package dependency not bundled Supply Chain The skill depends on `sense-memory` and `nostrkey` from PyPI rather than bundling them. This introduces supply chain risk — verify package integrity and ownership. `"dependencies": ["nostrkey>=0.1.1"]` → Pin to exact versions and consider vendoring the packages to eliminate external dependencies.	`metadata.json:20`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file read/write in skill files
Network	`NONE`	`READ`	✓ Aligned	External PyPI packages (nostrkey, sense_memory) — Nostr relay connections docume…
Shell	`NONE`	`NONE`	—	pip declared in metadata.openclaw.requires.bins, used only for package install
Environment	`NONE`	`READ`	✓ Aligned	NOSTRKEY_PASSPHRASE, NOSTR_NSEC read by external packages (documented as require…

4 findings

🔗

Medium External URL 外部 URL

https://clawhub.ai/vveerrgg/nostrkey

SKILL.md:36

🔗

Medium External URL 外部 URL

https://clawhub.ai/vveerrgg/nostr-profile

SKILL.md:288

🔗

Medium External URL 外部 URL

https://clawhub.ai/vveerrgg/nse

SKILL.md:291

🔗

Medium External URL 外部 URL

https://huje.tools

metadata.json:8

File Tree

3 files · 16.8 KB · 402 lines

Markdown 1f · 303L JSON 1f · 53L Python 1f · 46L

├─ ▾ 📁 examples

│ └─ 🐍 basic_usage.py Python 46L · 1.3 KB

├─ 📋 metadata.json JSON 53L · 1.3 KB

└─ 📝 SKILL.md Markdown 303L · 14.3 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`nostrkey`	`>=0.1.1`	pip	No	Min version pinned, not exact version
`sense-memory`	`latest`	pip	No	Version not specified — pulls latest

Security Positives

✓ SKILL.md clearly documents all behavior including encryption (NIP-44), storage modes (NIP-78, NIP-04), and network targets (relays)

✓ No base64, obfuscated code, or anti-analysis patterns detected

✓ No credential harvesting or data exfiltration — secrets remain local for encryption only

✓ No hidden instructions or prompt injection detected

✓ Input validation documented (key sanitization, content length caps, relay query caps)

✓ No direct shell execution or subprocess usage in skill files

✓ Memory keys validated against path traversal patterns

✓ MIT license declared

Scan Report

Findings 1 items

File Tree

Dependencies 2 items

Security Positives