中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:2 days ago Rescan
10 /100
palaia
Local, crash-safe persistent memory for OpenClaw agents with SQLite backend and semantic search
palaia is a legitimate memory persistence skill implemented entirely as documentation with no executable code. All described capabilities (pip/npm install, SQLite storage, MCP integration) are declared, relevant, and necessary.
Skill Namepalaia
Duration41.8s
Enginepi
Safe to install
No action needed. Consider pinning package versions in installation commands for reproducibility.

Findings 4 items

Severity Finding Location
Low
Unpinned package version in pip install
Installation commands use 'pip install "palaia[fastembed]"' without version pinning, which could install a different version if the package is updated or compromised on PyPI.
pip install "palaia[fastembed]"
→ Consider specifying a version: pip install "palaia[fastembed]==2.6"
 SKILL.md:36
Low
Unpinned npm package installation
OpenClaw plugin installed via 'npm install -g @byte5ai/palaia@latest' without a fixed version, creating a supply chain dependency.
npm install -g @byte5ai/palaia@latest
→ Pin to a specific version for production deployments
 SKILL.md:52
Info
API keys referenced in documentation
OPENAI_API_KEY and GEMINI_API_KEY are documented as optional embedding providers. These are legitimate use cases for cloud AI services, not credential harvesting.
Set `OPENAI_API_KEY`
→ No action needed; clearly documented as optional external API integration
 SKILL.md:172
Info
Database URL with potential credentials
PostgreSQL connection strings may contain credentials. palaia uses them only for database connectivity, not exfiltration.
palaia config set database_url postgresql://user:pass@host/db
→ Ensure database_url is configured securely (localhost or trusted network)
 SKILL.md:159
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE SKILL.md is documentation only; no Read/Write tool usage declared or inferred
Shell WRITE WRITE ✓ Aligned pip install, npm install, palaia init/doctor/upgrade commands throughout SKILL.m…
Network READ READ ✓ Aligned pip/npm package downloads, optional cloud embedding APIs (OpenAI, Gemini), MCP c…
Environment READ READ ✓ Aligned OPENAI_API_KEY, GEMINI_API_KEY, PALAIA_DATABASE_URL, PALAIA_AGENT documented for…
Database WRITE WRITE ✓ Aligned SQLite storage in .palaia/palaia.db, PostgreSQL backend option, CRUD operations …
1 findings
📧
Info Email 邮箱地址
[email protected]
SKILL.md:424

File Tree

1 files · 30.5 KB · 818 lines
Markdown 1f · 818L
└─ 📝 SKILL.md Markdown 818L · 30.5 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
palaia unpinned pip No Package version not specified in SKILL.md installation commands
@byte5ai/palaia latest npm No NPM plugin installed without version pin

Security Positives

✓ SKILL.md is pure documentation with zero executable code - no scripts, no obfuscation
✓ All capabilities are explicitly declared in documentation
✓ No base64 encoding, eval(), or suspicious runtime patterns
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ No data exfiltration or external IP connections outside of declared cloud APIs
✓ SQLite storage is local and crash-safe (WAL mode)
✓ MCP server supports --read-only mode for untrusted hosts
✓ Dangerous operations (gc --aggressive) require explicit user confirmation
✓ Privacy markers (<private>...</private>) prevent accidental sensitive data capture
✓ Explicit warning against storing secrets in memory entries