← Back to Skills Marketplace

Xiaoshan Memory Publish

Name: Xiaoshan Memory Publish
Author: waychan8

by waychan8 · GitHub ↗ · v3.3.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install xiaoshan-memory

Description

XiaoShan Memory Engine - Persistent AI memory with semantic search and knowledge graph. Triggers: remember/search memory/recall/forget/knowledge graph/memory...

Usage Guidance

Do not install blindly. Specific things to check before proceeding: - Verify origin: the package references a numeric IP (152.136.24.34) for homepage/update. Prefer skills hosted on reputable domains or known release hosts (GitHub releases, official domains). - Confirm where the engine comes from: this bundle does not include the core api_server.py; start_server expects an external 'xiaoshan-memory-engine'. Ask the publisher how that engine will be installed and inspect any downloaded archive before running it. - Sensitive keys: the SKILL.md asks you to set provider API keys (OPENAI_API_KEY, ZHIPU_API_KEY, DEEPSEEK_API_KEY) but the skill metadata did not declare these. Only provide keys if you trust the code and after reviewing what the engine sends over the network. - Local files: the skill will create ~/.xiaoshan and store activation.json (plaintext license key) and may create memory.db. If you install, inspect these files and consider file permissions or encrypting sensitive data. - If you want to test safely: run inside a throwaway VM/container without network access, or review the downloaded zip contents before executing. Contact the skill author for a canonical release URL and source code repository; absence of a reputable homepage is a reasonable cause to decline installation. If you want, I can list the exact lines/files that reference the IP and where activation/license is stored so you can inspect them locally.

Capability Analysis

Type: OpenClaw Skill Name: xiaoshan-memory Version: 3.3.0 The skill bundle contains social engineering tactics and infrastructure anomalies. Specifically, SKILL.md includes a preemptive disclaimer claiming that VirusTotal flags are 'known false positives,' which is a common technique used to bypass user suspicion. Additionally, package.json lists a raw IP address (152.136.24.34) as the project homepage rather than a registered domain. While the provided Python scripts (scripts/setup.py, scripts/activate.py) perform only basic file operations, these metadata signals are characteristic of potentially unwanted or malicious software.

Capability Tags

requires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

The package claims to be a full 'memory engine', but the included files do not contain the core engine (api_server.py). scripts/start_server.py explicitly looks for an external 'xiaoshan-memory-engine' directory or workspace and prints an error if not found, implying an additional download/install step. package.json and _meta.json reference an IP address (http://152.136.24.34) as homepage/update URL — an unusual non-domain host for an upstream source. These elements are disproportionate to a simple skill bundle and suggest external downloads are expected.

ℹ Instruction Scope

SKILL.md tells users to set provider API keys (OPENAI_API_KEY, etc.) and to run npx clawhub@latest install xiaoshan-memory, but the skill metadata did not declare required env vars. The runtime scripts create/read ~/.xiaoshan and save a plaintext activation key to ~/.xiaoshan/activation.json. The instructions do not explicitly document fetching the engine from the IP in _meta.json, but start_server implies the engine must be installed elsewhere. The skill's runtime actions (writing activation file, creating ~/.xiaoshan) are consistent with a memory engine, but the missing engine and external download are concerning.

⚠ Install Mechanism

There is no formal install spec in the registry entry, but _meta.json contains an updateUrl pointing at an IP (http://152.136.24.34/xiaoshan-memory-protected.zip). Downloads from numeric IP addresses and non-official hosts are higher risk because they may deliver arbitrary code. The package homepage in package.json is the same IP. The bundle itself lacks the engine binary, implying an additional network fetch is required (and that fetch's host is an IP address rather than a reputable release host).

⚠ Credentials

The registry metadata declares no required env vars or primary credential, yet SKILL.md and SKILL-zh instruct users to configure provider API keys (OPENAI_API_KEY, ZHIPU_API_KEY, DEEPSEEK_API_KEY) in ~/.xiaoshan/config.yaml or environment. Scripts write/read ~/.xiaoshan/activation.json (plaintext license key). The skill requests sensitive credentials (API keys) in practice but didn't list them in requires.env — this mismatch is a red flag.

ℹ Persistence & Privilege

always is false and the skill does not request global/always-on privileges. It will create a directory under the user's home (~/.xiaoshan) and store a plaintext activation key and possibly a local DB (memory.db). That behavior is consistent with a local memory store but users should note data is stored unencrypted in the home directory unless otherwise configured.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install xiaoshan-memory
After installation, invoke the skill by name or use /xiaoshan-memory
Provide required inputs per the skill's parameter spec and get structured output

Version History

v3.3.0

xiaoshan-memory 3.3.0 - Improved installation instructions with security notes and troubleshooting. - Enhanced documentation for environment variable and config file setup. - Added clarification on supported providers and API endpoints. - Minor formatting and clarity updates in documentation.

v3.2.1

xiaoshan-memory v3.2.1 - Updated documentation for clearer setup instructions and endpoint summaries. - Simplified and clarified SKILL.md and API references. - Revised and condensed trigger keywords and descriptions. - Improved decision/action mapping table for user commands. - No changes to core functionality—documentation updates only.

v3.2.0

- Major update: Improved documentation, new scripts, and expanded trigger support. - Added detailed README.md and SKILL-zh.md for better onboarding and multilingual support. - Introduced admin and server management scripts (activate.py, setup.py, start_server.py, status.py). - Expanded and clarified trigger keywords and usage scenarios in SKILL.md. - Updated API documentation for clarity and practical command examples. - Added metadata file for easier integration and version management.

v3.1.2

Removed all external URLs API key examples and crypto patterns from skill docs. Simplified scripts to pure file I/O only.

v3.1.1

Simplified scripts to remove false positive warnings. No crypto/subprocess/fingerprinting in skill package.

v3.1.0

v3.1.0-OpenAI-provider-international-payment-English-API

Metadata

Slug xiaoshan-memory

Version 3.3.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 6

Frequently Asked Questions

What is Xiaoshan Memory Publish?

XiaoShan Memory Engine - Persistent AI memory with semantic search and knowledge graph. Triggers: remember/search memory/recall/forget/knowledge graph/memory... It is an AI Agent Skill for Claude Code / OpenClaw, with 78 downloads so far.

How do I install Xiaoshan Memory Publish?

Run "/install xiaoshan-memory" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Xiaoshan Memory Publish free?

Yes, Xiaoshan Memory Publish is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Xiaoshan Memory Publish support?

Xiaoshan Memory Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Xiaoshan Memory Publish?

It is built and maintained by waychan8 (@waychan8); the current version is v3.3.0.

More Skills