中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:18 小时前 重新扫描
5 /100
极简记忆自动同步
自动监听对话事件,实时写入Markdown记忆文件并同步到LanceDB向量库
A legitimate conversation memory synchronization plugin that writes chat logs to local Markdown files and LanceDB, with no malicious behavior detected.
技能名称极简记忆自动同步
分析耗时36.4s
引擎pi
可以安装
This skill is safe to use. The only minor issue is the technically misleading '100% zero-dependency' claim since it imports from the OpenClaw plugin SDK, but this is expected and not a security concern.

安全发现 1 项

严重性 安全发现 位置
低危
Minor doc claim inaccuracy 文档欺骗
SKILL.md states '100%零依赖:只用Node.js原生API' but the code imports from 'openclaw/plugin-sdk'. This is expected for a plugin but technically a dependency.
✅ 100%零依赖:只用Node.js原生API
→ Update SKILL.md to say 'Minimal external dependencies' or 'Uses only Node.js native APIs plus the OpenClaw SDK'
 SKILL.md:6
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 index.ts:43 fs.appendFile to /home/tao/.openclaw/workspace/memory
技能调用 READ READ ✓ 一致 index.ts:6 imports OpenClawPluginApi to register event handlers
网络访问 NONE NONE No network calls in codebase
命令执行 NONE NONE No subprocess or shell execution in codebase

目录结构

3 文件 · 4.4 KB · 126 行
TypeScript 1f · 92L Markdown 1f · 22L JSON 1f · 12L
├─ 📜 index.ts TypeScript 92L · 3.2 KB
├─ 📋 package.json JSON 12L · 428 B
└─ 📝 SKILL.md Markdown 22L · 809 B

依赖分析 1 项

包名版本来源已知漏洞备注
openclaw/plugin-sdk * import Expected SDK dependency for plugin architecture, not a security risk

安全亮点

✓ No network requests or external communications
✓ No credential harvesting or environment variable access
✓ No shell execution or subprocess calls
✓ No obfuscation, base64 encoding, or anti-analysis techniques
✓ No data exfiltration behavior
✓ No hidden functionality beyond what the skill claims to do
✓ Legitimate use case: storing conversation logs for memory sync
✓ Uses OpenClaw's official plugin API (api.memory.store) rather than bypassing security
✓ No sensitive file access beyond the declared memory storage directory
✓ Zero malicious indicators detected