扫描报告
5 /100
memory-lancedb-pro
Production-grade long-term memory MCP plugin for OpenClaw AI agents with LanceDB, hybrid vector+BM25 retrieval, and LLM-powered Smart Extraction
This is a legitimate OpenClaw memory plugin (memory-lancedb-pro v1.1.0-beta.8) documented entirely as Markdown. All shell commands are explicitly documented in SKILL.md. The pre-scan IOC `rm -rf /` at line 697 is a false positive — the actual command is `rm -rf /tmp/jiti/` (a legitimate jiti cache invalidation step, properly documented in setup instructions). No scripts, no binaries, no code files.
可以安装
This skill is safe to use. No action required.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | Reads openclaw.json config, plugin paths, LanceDB data directory (~/.openclaw/) … |
| 网络访问 | READ | READ | ✓ 一致 | HTTP API calls to jina.ai, openai.com, siliconflow.com, localhost:11434 (Ollama)… |
| 命令执行 | WRITE | WRITE | ✓ 一致 | openclaw CLI commands, npm install, git clone, curl, rm -rf /tmp/jiti/ — all doc… |
| 环境变量 | READ | READ | ✓ 一致 | References ${OPENAI_API_KEY}, ${JINA_API_KEY}, ${SILICONFLOW_API_KEY}, ${OPENCLA… |
1 严重 18 项发现
严重 危险命令 危险 Shell 命令
rm -rf / SKILL.md:697 中危 外部 URL 外部 URL
https://claude.ai/code README.md:28 中危 外部 URL 外部 URL
https://openclaw.ai README.md:32 中危 外部 URL 外部 URL
https://storage.ko-fi.com/cdn/kofi2.png?v=3 README.md:229 中危 外部 URL 外部 URL
https://ko-fi.com/aila README.md:229 中危 外部 URL 外部 URL
https://jina.ai/api-key SKILL.md:29 中危 外部 URL 外部 URL
https://platform.openai.com/api-keys SKILL.md:29 中危 外部 URL 外部 URL
https://cloud.siliconflow.cn/account/ak SKILL.md:38 中危 外部 URL 外部 URL
https://ollama.com/download SKILL.md:62 中危 外部 URL 外部 URL
https://api.jina.ai/v1/embeddings SKILL.md:88 中危 外部 URL 外部 URL
https://api.siliconflow.com/v1/rerank SKILL.md:104 中危 外部 URL 外部 URL
https://api.jina.ai/v1 SKILL.md:162 中危 外部 URL 外部 URL
https://api.jina.ai/v1/rerank SKILL.md:186 中危 外部 URL 外部 URL
http://192.168.1.100:11434/v1 SKILL.md:333 中危 外部 URL 外部 URL
https://dashscope.aliyuncs.com/compatible-mode/v1 SKILL.md:1223 中危 外部 URL 外部 URL
https://dashscope.aliyuncs.com/compatible-api/v1/reranks SKILL.md:1236 中危 外部 URL 外部 URL
https://api.voyageai.com/v1/rerank SKILL.md:1252 中危 外部 URL 外部 URL
https://api.pinecone.io/rerank SKILL.md:1253 目录结构
3 文件 · 76.7 KB · 1951 行 Markdown 3f · 1951L
├─
▾
references
│ └─
full-reference.md
Markdown
├─
README.md
Markdown
└─
SKILL.md
Markdown
安全亮点
✓ All content is Markdown documentation only — no executable code, scripts, or binaries
✓ All shell commands (curl API checks, npm install, openclaw CLI, rm -rf /tmp/jiti/) are explicitly declared inline in SKILL.md
✓ No credential harvesting — API keys are only used as config substitutions or validated against their own provider APIs
✓ No base64, no eval(), no obfuscated payloads, no direct IP network calls to attacker infrastructure
✓ No access to sensitive paths like ~/.ssh, ~/.aws, .env
✓ No curl|bash remote script execution — curl is used only for API key validation against documented endpoints
✓ No hidden functionality — full-reference.md documents all 31 source files, their sizes, and their purposes
✓ Legitimate npm plugin with declared dependencies: @lancedb/lancedb, openai, @sinclair/typebox
✓ No data exfiltration or suspicious outbound connections
✓ The pre-scan IOC 'rm -rf /' at SKILL.md:697 is a false positive — the actual command is `rm -rf /tmp/jiti/` (targeted cache directory, fully documented)