验证所有文件的完整性

The skill offers a "VMP 保护的预编译版本" (VMP protected pre-compiled version) in the `dist/` directory for production use, which is explicitly described as "代码混淆，难以审计" (code obfuscated, difficult to audit). Although a fully auditable source (`src/`) version is provided, the existence of an obfuscated binary for deployment introduces an anti-analysis challenge and could potentially hide malicious code if checksums are not rigorously verified or are compromised.

2. **dist/ 目录**（可选）- ⚠️ VMP 保护的预编译版本 - ⚠️ 代码混淆，难以审计

The skill declares "广泛的文件系统操作" (extensive file system operations) within the `~/.openclaw` directory, including read, write, create, and delete. While this is central to its memory management functionality and includes mitigations like default disabling of automatic features, the broad access could be exploited for data manipulation or exfiltration if the skill's logic is compromised.

2. **广泛的文件系统操作** - 范围：~/.openclaw 目录 - 操作：读、写、创建、删除

The skill performs network access to user-configured LLM/embedding API endpoints. Although it states that it only accesses user-configured endpoints and does not embed API keys, this capability could be misused for data exfiltration or other network-based attacks if a user is socially engineered into configuring a malicious endpoint.

3. **网络访问** - 目的：调用用户配置的 LLM/embedding API 端点

The skill explicitly states that all `shell=True` calls have been removed and all `subprocess` calls use parameter lists. This significantly mitigates command injection vulnerabilities, demonstrating a commitment to secure coding practices for external command execution.

✅ 已彻底移除所有 shell=True 调用 - ✅ 所有 subprocess 调用使用参数列表（无命令注入风险）

The skill explicitly states that it does not embed any API keys or credentials, and all API endpoints are read from configuration files or environment variables. This is a strong security practice that prevents credential theft from the skill's code.

✅ **不内置任何 API 密钥或凭据**（已验证）

The skill ships a 'dist/' directory containing VMP (Virtual Machine Protection) obfuscated pre-compiled code that is explicitly described as hard to audit or reverse-engineer. This is a classic supply-chain obfuscation technique: the auditable src/ version is presented for review while the obfuscated dist/ version is used in production, creating an audit gap where malicious behaviour can be hidden.

**dist/ 目录**（可选）
- ⚠️ VMP 保护的预编译版本
- ⚠️ 代码混淆，难以审计
- ⚠️ 仅用于生产环境性能优化
VMP (Virtual Machine Protection) 是代码保护技术
- 会使代码难以逆向工程和审计

The skill loads arbitrary native shared libraries (.so files) via SQLite's extension loading mechanism. The documentation itself acknowledges this provides 'an arbitrary code execution path' (任意代码执行路径). While SHA256 verification is claimed, the trust hash list (.trusted_hashes.json) is stored in the user's home directory and could be manipulated. Loading a native shared library is equivalent to arbitrary code execution.

1. **原生 SQLite 扩展加载**（vec0.so）- 风险等级：HIGH
   - 文件：src/core/sqlite_ext.py
   - 风险：提供任意代码执行路径
可能从 ~/.openclaw/extensions 加载 SQLite 扩展（需用户确认）

The skill includes modules and instructions for deep system-level manipulation: IRQ affinity modification (requires root), hugepage configuration (requires root and modifies /etc/sysctl.conf), GRUB bootloader parameter modification, disabling system services (irqbalance), and NUMA process binding. These are not typical for an LLM memory skill and represent significant privilege escalation vectors.

sudo sysctl -w vm.nr_hugepages=1024
echo 'vm.nr_hugepages=1024' | sudo tee -a /etc/sysctl.conf
sudo systemctl stop irqbalance
sudo systemctl disable irqbalance
for irq in /proc/irq/*/smp_affinity_list; do echo "0-2" > $irq; done
GRUB_CMDLINE_LINUX="... isolcpus=3-7 nohz_full=3-7 rcu_nocbs=3-7"
sudo update-grub && sudo reboot

The skill explicitly reads /proc/cpuinfo and /proc/meminfo for 'performance optimization detection'. This constitutes system reconnaissance, gathering CPU topology, hardware capabilities, and memory configuration. This information could be used to fingerprint the host environment or adapt payloads to the target system.

⚠️ 例外：读取 `/proc/cpuinfo` 用于性能优化检测（仅 Linux）
grep HugePages /proc/meminfo

The skill instructs writing to /etc/sysctl.conf and modifying GRUB bootloader configuration, both of which are system-wide persistence mechanisms that survive reboots. Modifying these files as part of an LLM memory skill is far outside the declared functionality scope.

echo 'vm.nr_hugepages=1024' | sudo tee -a /etc/sysctl.conf
GRUB_CMDLINE_LINUX="... isolcpus=3-7 nohz_full=3-7 rcu_nocbs=3-7"
sudo update-grub && sudo reboot

The skill instructs users to install additional tools via 'npx clawhub@latest install skill-vetter' and 'npx clawhub@latest install clawsec-suite'. These are unverified third-party packages fetched from npm at runtime. This introduces supply-chain risk: a malicious npm package could be installed and executed on the user's system under the guise of security tooling.

# 安装 skill-vetter
npx clawhub@latest install skill-vetter

# 安装 ClawSec
npx clawhub@latest install clawsec-suite

The skill's own security notes disclose that a previous version contained real API keys in backup files ('已删除包含真实密钥的备份文件'). This suggests the skill was published with hardcoded credentials in the past. The current version claims to have removed them, but the obfuscated dist/ directory cannot be audited to confirm this.

【重要修复 - 2026-04-11】
- ✅ **所有配置文件无硬编码 API 密钥**
- ✅ `config/unified_config.json`: 使用 `YOUR_*_API_KEY` 占位符
- ✅ 已删除包含真实密钥的备份文件

The skill explicitly presents a 'src/' directory as the auditable version for security scanning while promoting a separate obfuscated 'dist/' version for production use. This dual-package design is a known technique to pass security review while deploying different (potentially malicious) code. The skill's own table states '源码版 | src/ | ClawHub 安全扫描' vs '保护版 | dist/ | 生产环境使用', confirming the two versions serve different audiences.

| **源码版** | `src/` | ClawHub 安全扫描 | 完全透明，可审计 |
| **保护版** | `dist/` | 生产环境使用 | VMP 保护，防篡改 |
- ✅ `src/` 目录包含完整源码，供安全扫描和审计