中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
memory-palace
Cognitive enhancement layer for OpenClaw agents with semantic search, time reasoning, knowledge graphs, experience accumulation, and LLM-enhanced features
Memory Palace is a legitimate cognitive enhancement layer for AI agents with persistent memory management, semantic search, and LLM-enhanced features. No malicious behavior detected.
Skill Namememory-palace
Duration69.7s
Enginepi
Safe to install
This skill is safe to use. The allowed-tools declaration (Bash with npx only) and filesystem:WRITE scoped to workspace are appropriate.

Findings 3 items

Severity Finding Location
Info
Postinstall dependency checker
scripts/check-vector-deps.cjs runs automatically after npm install and may prompt to install Python dependencies. Requires user confirmation before pip install.
Runs after npm install, prompts for vector dependencies
→ This is expected behavior for optional ML dependencies. The script properly asks for user consent.
 scripts/check-vector-deps.cjs:1
Info
Python subprocess spawning
LocalVectorSearchProvider spawns a Python process for vector embeddings. This is documented and necessary for semantic search.
spawn('python3', [this.scriptPath, ...])
→ This is expected behavior for ML feature requiring Python runtime. No malicious activity.
 src/background/vector-search.ts:62
Info
LLM integration reads OpenClaw config
SubagentClient reads OpenClaw configuration to get LLM API credentials. Credentials are used only for legitimate LLM API calls.
path.join(process.env.HOME || '/root', '.openclaw', 'openclaw.json')
→ Expected behavior - the skill needs API credentials to call LLM. No exfiltration observed.
 src/llm/subagent-client.ts:82
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned Scoped to workspaceDir/memory/palace - safe scope for memory storage
Shell WRITE WRITE ✓ Aligned Only Bash(npx memory-palace:*) declared - CLI tool via npx, not raw shell access
Network NONE READ ✓ Aligned LLM API calls via SubagentClient to configured OpenClaw provider - expected beha…
57 findings
🔗
Medium External URL 外部 URL
https://hf-mirror.com
AGENTS.md:114
🔗
Medium External URL 外部 URL
https://keepachangelog.com/en/1.0.0/
CHANGELOG.md:5
🔗
Medium External URL 外部 URL
https://semver.org/spec/v2.0.0.html
CHANGELOG.md:6
🔗
Medium External URL 外部 URL
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
CODE_OF_CONDUCT.md:119
🔗
Medium External URL 外部 URL
https://www.contributor-covenant.org
CODE_OF_CONDUCT.md:124
🔗
Medium External URL 外部 URL
https://www.contributor-covenant.org/faq.
CODE_OF_CONDUCT.md:127
🔗
Medium External URL 外部 URL
https://www.contributor-covenant.org/translations.
CODE_OF_CONDUCT.md:128
🔗
Medium External URL 外部 URL
https://clawhub.com/skills/memory-palace
README.md:51
🔗
Medium External URL 外部 URL
https://opencollective.com/eslint
package-lock.json:46
🔗
Medium External URL 外部 URL
https://eslint.org/donate
package-lock.json:113
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@types/node/-/node-20.19.37.tgz
package-lock.json:237
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/@types/uuid/-/uuid-10.0.0.tgz
package-lock.json:247
🔗
Medium External URL 外部 URL
https://opencollective.com/typescript-eslint
package-lock.json:273
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/base64-js/-/base64-js-1.5.1.tgz
package-lock.json:685
🔗
Medium External URL 外部 URL
https://www.patreon.com/feross
package-lock.json:695
🔗
Medium External URL 外部 URL
https://feross.org/support
package-lock.json:699
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/bl/-/bl-4.1.0.tgz
package-lock.json:706
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/buffer/-/buffer-5.7.1.tgz
package-lock.json:731
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/canvas/-/canvas-3.2.1.tgz
package-lock.json:806
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/chownr/-/chownr-1.1.4.tgz
package-lock.json:821
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/decompress-response/-/decompress-response-6.0.0.tgz
package-lock.json:922
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/deep-extend/-/deep-extend-0.6.0.tgz
package-lock.json:938
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/detect-libc/-/detect-libc-2.1.2.tgz
package-lock.json:991
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/end-of-stream/-/end-of-stream-1.4.5.tgz
package-lock.json:1029
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/expand-template/-/expand-template-2.0.3.tgz
package-lock.json:1524
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/fs-constants/-/fs-constants-1.0.0.tgz
package-lock.json:1640
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/github-from-package/-/github-from-package-0.0.0.tgz
package-lock.json:1755
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/ieee754/-/ieee754-1.2.1.tgz
package-lock.json:1889
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/inherits/-/inherits-2.0.4.tgz
package-lock.json:1930
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/ini/-/ini-1.3.8.tgz
package-lock.json:1937
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/mimic-response/-/mimic-response-3.1.0.tgz
package-lock.json:2439
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/minimist/-/minimist-1.2.8.tgz
package-lock.json:2468
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz
package-lock.json:2478
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/napi-build-utils/-/napi-build-utils-2.0.0.tgz
package-lock.json:2492
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/node-abi/-/node-abi-3.89.0.tgz
package-lock.json:2506
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/node-addon-api/-/node-addon-api-7.1.1.tgz
package-lock.json:2519
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/once/-/once-1.4.0.tgz
package-lock.json:2623
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/prebuild-install/-/prebuild-install-7.1.3.tgz
package-lock.json:2751
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/pump/-/pump-3.0.4.tgz
package-lock.json:2789
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/rc/-/rc-1.2.8.tgz
package-lock.json:2810
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/readable-stream/-/readable-stream-3.6.2.tgz
package-lock.json:2826
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/safe-buffer/-/safe-buffer-5.2.1.tgz
package-lock.json:2926
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/semver/-/semver-7.7.4.tgz
package-lock.json:2982
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/simple-concat/-/simple-concat-1.0.1.tgz
package-lock.json:3143
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/simple-get/-/simple-get-4.0.1.tgz
package-lock.json:3164
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/string_decoder/-/string_decoder-1.3.0.tgz
package-lock.json:3204
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/strip-json-comments/-/strip-json-comments-2.0.1.tgz
package-lock.json:3283
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/tar-fs/-/tar-fs-2.1.4.tgz
package-lock.json:3306
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/tar-stream/-/tar-stream-2.2.0.tgz
package-lock.json:3319
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/tunnel-agent/-/tunnel-agent-0.6.0.tgz
package-lock.json:3379
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/typescript/-/typescript-5.9.3.tgz
package-lock.json:3483
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/undici-types/-/undici-types-6.21.0.tgz
package-lock.json:3516
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/util-deprecate/-/util-deprecate-1.0.2.tgz
package-lock.json:3533
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/uuid/-/uuid-9.0.1.tgz
package-lock.json:3540
🔗
Medium External URL 外部 URL
http://mirrors.tencentyun.com/npm/wrappy/-/wrappy-1.0.2.tgz
package-lock.json:3668
🔗
Medium External URL 外部 URL
https://www.python.org/downloads/
scripts/check-vector-deps.cjs:84
📧
Info Email 邮箱地址
[email protected]
scripts/ab-test/final-test.ts:48

File Tree

71 files · 646.0 KB · 21167 lines
TypeScript 39f · 11909L Markdown 20f · 4158L JSON 3f · 3751L Python 3f · 671L JavaScript 4f · 580L Shell 1f · 98L
├─ 📁 bin
│ └─ 📜 memory-palace.js JavaScript 140L · 4.7 KB
├─ 📁 docs
│ ├─ 📝 AB-TEST-REPORT.md Markdown 210L · 6.1 KB
│ ├─ 📦 comparison-chart.svg 7.4 KB
│ ├─ 📝 README.zh-CN.md Markdown 267L · 6.3 KB
│ ├─ 📝 README.zh-TW.md Markdown 243L · 5.7 KB
│ ├─ 📝 ROADMAP.md Markdown 276L · 6.6 KB
│ └─ 📝 v1.1-llm-integration.md Markdown 600L · 13.8 KB
├─ 📁 examples
│ ├─ 📝 project-memory.md Markdown 55L · 1.7 KB
│ └─ 📝 user-preferences.md Markdown 42L · 1.2 KB
├─ 📁 references
│ ├─ 📝 examples.md Markdown 232L · 4.4 KB
│ └─ 📝 tools.md Markdown 323L · 5.3 KB
├─ 📁 scripts
│ ├─ 📁 ab-test
│ │ ├─ 📝 AGENTS.md Markdown 72L · 2.1 KB
│ │ ├─ 📜 debug-wednesday.ts TypeScript 51L · 1.9 KB
│ │ ├─ 📜 final-test.ts TypeScript 386L · 21.5 KB
│ │ ├─ 📜 report.ts TypeScript 588L · 21.3 KB
│ │ ├─ 📜 run-jarvis-test.ts TypeScript 255L · 8.4 KB
│ │ ├─ 📜 run-test.ts TypeScript 555L · 15.7 KB
│ │ ├─ 📜 test-data.ts TypeScript 453L · 13.8 KB
│ │ ├─ 📜 test-queries.ts TypeScript 209L · 6.8 KB
│ │ ├─ 📜 test-time-reasoning.ts TypeScript 47L · 1.4 KB
│ │ └─ 📜 verify-hits.ts TypeScript 67L · 2.0 KB
│ ├─ 🐍 ab-test-vector.py Python 182L · 6.2 KB
│ ├─ 📜 check-vector-deps.cjs JavaScript 170L · 5.4 KB
│ ├─ 🔧 install-vector-model.sh Shell 98L · 2.9 KB
│ ├─ 📜 test-score.ts TypeScript 29L · 1015 B
│ ├─ 🐍 test-vector.py Python 186L · 6.3 KB
│ ├─ 🐍 vector-service.py Python 303L · 10.2 KB
│ └─ 📜 verify-skill.ts TypeScript 183L · 7.5 KB
├─ 📁 src
│ ├─ 📁 background
│ │ ├─ 📜 compress.ts TypeScript 353L · 9.5 KB
│ │ ├─ 📜 concept-expansion.ts TypeScript 371L · 12.2 KB
│ │ ├─ 📜 conflict.ts TypeScript 329L · 10.1 KB
│ │ ├─ 📜 scheduler.ts TypeScript 94L · 2.4 KB
│ │ ├─ 📜 time-reasoning.ts TypeScript 407L · 12.3 KB
│ │ └─ 📜 vector-search.ts TypeScript 355L · 9.2 KB
│ ├─ 📁 cognitive
│ │ ├─ 📜 cluster.ts TypeScript 192L · 5.8 KB
│ │ ├─ 📜 entity.ts TypeScript 234L · 6.6 KB
│ │ └─ 📜 graph.ts TypeScript 346L · 9.4 KB
│ ├─ 📁 llm
│ │ ├─ 📝 AGENTS.md Markdown 87L · 2.9 KB
│ │ ├─ 📜 concept-expander.ts TypeScript 201L · 6.1 KB
│ │ ├─ 📜 experience-extractor.ts TypeScript 220L · 6.3 KB
│ │ ├─ 📜 index.ts TypeScript 65L · 1.2 KB
│ │ ├─ 📜 smart-compressor.ts TypeScript 261L · 7.5 KB
│ │ ├─ 📜 subagent-client.ts TypeScript 748L · 19.6 KB
│ │ ├─ 📜 summarizer.ts TypeScript 239L · 6.5 KB
│ │ ├─ 📜 time-parser.ts TypeScript 246L · 7.4 KB
│ │ └─ 📜 types.ts TypeScript 174L · 3.8 KB
│ ├─ 📁 tests
│ │ ├─ 📜 experience.test.ts TypeScript 340L · 11.7 KB
│ │ ├─ 📜 llm.test.ts TypeScript 313L · 9.8 KB
│ │ ├─ 📜 manager.test.ts TypeScript 358L · 11.1 KB
│ │ └─ 📜 time-concept.test.ts TypeScript 336L · 12.8 KB
│ ├─ 📝 AGENTS.md Markdown 61L · 2.8 KB
│ ├─ 📜 experience-manager.ts TypeScript 318L · 9.6 KB
│ ├─ 📜 index.ts TypeScript 91L · 2.7 KB
│ ├─ 📜 manager.ts TypeScript 711L · 20.4 KB
│ ├─ 📜 storage.ts TypeScript 412L · 11.8 KB
│ └─ 📜 types.ts TypeScript 315L · 6.2 KB
├─ 📁 tests
│ ├─ 📁 integration
│ │ ├─ 📜 mock-vector-search.ts TypeScript 329L · 8.6 KB
│ │ └─ 📜 openclaw-integration.test.ts TypeScript 728L · 22.7 KB
│ └─ 📜 cli.test.js JavaScript 214L · 6.4 KB
├─ 📝 AGENTS.md Markdown 159L · 5.3 KB
├─ 📝 CHANGELOG.md Markdown 92L · 2.8 KB
├─ 📝 CODE_OF_CONDUCT.md Markdown 127L · 5.1 KB
├─ 📝 CONTRIBUTING.md Markdown 66L · 1.4 KB
├─ 📜 eslint.config.mjs JavaScript 56L · 1.5 KB
├─ 📝 INTEGRATION-REPORT.md Markdown 203L · 4.9 KB
├─ 📝 OPENCLAW-INTEGRATION-PROPOSAL.md Markdown 332L · 9.8 KB
├─ 📋 package-lock.json JSON 3687L · 125.6 KB
├─ 📋 package.json JSON 45L · 1.2 KB
├─ 📝 README.md Markdown 349L · 8.7 KB
├─ 📝 SKILL.md Markdown 362L · 6.7 KB
└─ 📋 tsconfig.json JSON 19L · 490 B

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
uuid ^9.0.0 npm No Standard UUID library, minimal attack surface
sentence-transformers latest pip (optional) No Optional ML dependency for semantic search, not auto-installed without consent
numpy latest pip (optional) No Optional dependency for vector embeddings

Security Positives

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env theft)
✓ No data exfiltration or external IP communication beyond configured LLM provider
✓ No reverse shell, C2, or credential harvesting
✓ Filesystem access scoped to designated workspace storage path
✓ Shell access restricted to npx CLI tool invocations only
✓ Clear documentation of all features in SKILL.md
✓ Vector service binds only to localhost (127.0.0.1)
✓ Fallback mechanisms for LLM failures (no forced dependencies)
✓ MIT license with transparent open-source code
✓ Regex injection protection via escapeRegExp() in text search