Memory Strategy

当用户需要管理对话记忆时应使用此skill。 触发条件包括： - 用户说"记下来"、"记住这个"、"别忘了"、"永久保存"、"这是一个重点" - 用户查询历史信息："之前是怎么做的"、"查找关于...的记录"、"回忆一下..." - 会话结束需要自动整理归档 - 需要评估信息重要性并决定存储位置 - 需要更新记忆...

This skill is suspicious for several concrete reasons you should resolve before installing/using it: - Missing artifacts: The SKILL.md references multiple helper scripts (evaluate_importance.py, silent_agent.py, retrieve_memory.py, update_index.py) and an assets/references directory, but the published skill contains no code files. Ask the publisher to provide the scripts or explain how the agent is expected to run them. Running arbitrary, unspecified scripts is risky. - Undeclared external credential: The docs recommend using a Kimi API (KIMI_API_KEY) for scoring but the skill manifest does not declare any required env vars. If you intend to supply such a key, require confirmation about where/how it will be used and stored. - Secrets storage risk: The design explicitly lists contacts.md in long-term memory and calls it '相关API密钥' (related API keys). That suggests storing API keys/credentials in plaintext within .memory/long-term — this is insecure. Do not store secrets in plain files. Prefer a secure secret/vault, or at minimum require guidance to encrypt or restrict permissions and add .memory to .gitignore. - Automatic write behavior: Silent Agent will extract and write conversation content at session end or after a timeout. Decide whether you want the agent to auto-write and where files are stored. If you keep it, restrict directory location, set strict file permissions, and avoid saving sensitive conversations or credentials. - Next steps to reduce risk before using: 1) Request the missing scripts and review their code (or ask for a manifest that lists the exact operations the agent will run). 2) Ask the author to declare required env vars (e.g., KIMI_API_KEY) in the manifest and justify them. 3) Remove any guidance to store API keys in contacts.md; implement secret-storage best practices (vault, encrypted files, or OS keyring) instead. 4) Configure .memory to be outside source control (add to .gitignore), set restrictive file permissions, and audit contents regularly. 5) If you cannot validate the missing scripts and secret-handling behavior, avoid enabling automatic Silent Agent writes and prefer manual review of any extracted content. Because these inconsistencies combine privacy and credential-handling risks, treat this skill as suspicious until the publisher provides the missing code and clear, secure handling of credentials and persistent storage.

Type: OpenClaw Skill Name: memory-strategy Version: 0.1.0 The skill implements a complex memory management system that explicitly instructs the AI agent to store sensitive information, including 'API keys,' in plaintext files such as '.memory/long-term/contacts.md'. It references several external Python scripts (e.g., evaluate_importance.py, silent_agent.py) and automated 'Silent Agent' background tasks that are not provided in the bundle, making it impossible to verify if the collected sensitive data is exfiltrated or handled securely.