← 返回 Skills 市场

Xiaoshan Memory Publish

Name: Xiaoshan Memory Publish
Author: waychan8

作者 waychan8 · GitHub ↗ · v3.3.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install xiaoshan-memory

功能描述

XiaoShan Memory Engine - Persistent AI memory with semantic search and knowledge graph. Triggers: remember/search memory/recall/forget/knowledge graph/memory...

安全使用建议

Do not install blindly. Specific things to check before proceeding: - Verify origin: the package references a numeric IP (152.136.24.34) for homepage/update. Prefer skills hosted on reputable domains or known release hosts (GitHub releases, official domains). - Confirm where the engine comes from: this bundle does not include the core api_server.py; start_server expects an external 'xiaoshan-memory-engine'. Ask the publisher how that engine will be installed and inspect any downloaded archive before running it. - Sensitive keys: the SKILL.md asks you to set provider API keys (OPENAI_API_KEY, ZHIPU_API_KEY, DEEPSEEK_API_KEY) but the skill metadata did not declare these. Only provide keys if you trust the code and after reviewing what the engine sends over the network. - Local files: the skill will create ~/.xiaoshan and store activation.json (plaintext license key) and may create memory.db. If you install, inspect these files and consider file permissions or encrypting sensitive data. - If you want to test safely: run inside a throwaway VM/container without network access, or review the downloaded zip contents before executing. Contact the skill author for a canonical release URL and source code repository; absence of a reputable homepage is a reasonable cause to decline installation. If you want, I can list the exact lines/files that reference the IP and where activation/license is stored so you can inspect them locally.

功能分析

Type: OpenClaw Skill Name: xiaoshan-memory Version: 3.3.0 The skill bundle contains social engineering tactics and infrastructure anomalies. Specifically, SKILL.md includes a preemptive disclaimer claiming that VirusTotal flags are 'known false positives,' which is a common technique used to bypass user suspicion. Additionally, package.json lists a raw IP address (152.136.24.34) as the project homepage rather than a registered domain. While the provided Python scripts (scripts/setup.py, scripts/activate.py) perform only basic file operations, these metadata signals are characteristic of potentially unwanted or malicious software.

能力标签

requires-sensitive-credentials

能力评估

⚠ Purpose & Capability

The package claims to be a full 'memory engine', but the included files do not contain the core engine (api_server.py). scripts/start_server.py explicitly looks for an external 'xiaoshan-memory-engine' directory or workspace and prints an error if not found, implying an additional download/install step. package.json and _meta.json reference an IP address (http://152.136.24.34) as homepage/update URL — an unusual non-domain host for an upstream source. These elements are disproportionate to a simple skill bundle and suggest external downloads are expected.

ℹ Instruction Scope

SKILL.md tells users to set provider API keys (OPENAI_API_KEY, etc.) and to run npx clawhub@latest install xiaoshan-memory, but the skill metadata did not declare required env vars. The runtime scripts create/read ~/.xiaoshan and save a plaintext activation key to ~/.xiaoshan/activation.json. The instructions do not explicitly document fetching the engine from the IP in _meta.json, but start_server implies the engine must be installed elsewhere. The skill's runtime actions (writing activation file, creating ~/.xiaoshan) are consistent with a memory engine, but the missing engine and external download are concerning.

⚠ Install Mechanism

There is no formal install spec in the registry entry, but _meta.json contains an updateUrl pointing at an IP (http://152.136.24.34/xiaoshan-memory-protected.zip). Downloads from numeric IP addresses and non-official hosts are higher risk because they may deliver arbitrary code. The package homepage in package.json is the same IP. The bundle itself lacks the engine binary, implying an additional network fetch is required (and that fetch's host is an IP address rather than a reputable release host).

⚠ Credentials

The registry metadata declares no required env vars or primary credential, yet SKILL.md and SKILL-zh instruct users to configure provider API keys (OPENAI_API_KEY, ZHIPU_API_KEY, DEEPSEEK_API_KEY) in ~/.xiaoshan/config.yaml or environment. Scripts write/read ~/.xiaoshan/activation.json (plaintext license key). The skill requests sensitive credentials (API keys) in practice but didn't list them in requires.env — this mismatch is a red flag.

ℹ Persistence & Privilege

always is false and the skill does not request global/always-on privileges. It will create a directory under the user's home (~/.xiaoshan) and store a plaintext activation key and possibly a local DB (memory.db). That behavior is consistent with a local memory store but users should note data is stored unencrypted in the home directory unless otherwise configured.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install xiaoshan-memory
安装完成后，直接呼叫该 Skill 的名称或使用 /xiaoshan-memory 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v3.3.0

xiaoshan-memory 3.3.0 - Improved installation instructions with security notes and troubleshooting. - Enhanced documentation for environment variable and config file setup. - Added clarification on supported providers and API endpoints. - Minor formatting and clarity updates in documentation.

v3.2.1

xiaoshan-memory v3.2.1 - Updated documentation for clearer setup instructions and endpoint summaries. - Simplified and clarified SKILL.md and API references. - Revised and condensed trigger keywords and descriptions. - Improved decision/action mapping table for user commands. - No changes to core functionality—documentation updates only.

v3.2.0

- Major update: Improved documentation, new scripts, and expanded trigger support. - Added detailed README.md and SKILL-zh.md for better onboarding and multilingual support. - Introduced admin and server management scripts (activate.py, setup.py, start_server.py, status.py). - Expanded and clarified trigger keywords and usage scenarios in SKILL.md. - Updated API documentation for clarity and practical command examples. - Added metadata file for easier integration and version management.

v3.1.2

Removed all external URLs API key examples and crypto patterns from skill docs. Simplified scripts to pure file I/O only.

v3.1.1

Simplified scripts to remove false positive warnings. No crypto/subprocess/fingerprinting in skill package.

v3.1.0

v3.1.0-OpenAI-provider-international-payment-English-API

元数据

Slug xiaoshan-memory

版本 3.3.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 6

常见问题

Xiaoshan Memory Publish 是什么？

XiaoShan Memory Engine - Persistent AI memory with semantic search and knowledge graph. Triggers: remember/search memory/recall/forget/knowledge graph/memory... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 78 次。

如何安装 Xiaoshan Memory Publish？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaoshan-memory」即可一键安装，无需额外配置。

Xiaoshan Memory Publish 是免费的吗？

是的，Xiaoshan Memory Publish 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Xiaoshan Memory Publish 支持哪些平台？

Xiaoshan Memory Publish 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Xiaoshan Memory Publish？

由 waychan8（@waychan8）开发并维护，当前版本 v3.3.0。