Is khli01/memorylayer safe?

https://github.com/openclaw/skills/tree/main/skills/khli01/memorylayer

91
SAFE

This skill appears to be a legitimate HTTP client for a semantic memory service. The code is straightforward and contains no obvious malicious functionality, though it does send data to external endpoints as part of its declared purpose.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM External HTTP requests to third-party service -10

The skill makes HTTP requests to memorylayer.clawbot.hk as part of its normal operation to store and retrieve memory data. While this is disclosed functionality, it represents data being sent to an external service.

LOW Requires user credentials -5

The skill requires users to provide email/password or API key credentials for the external service, which could be intercepted or misused if the service is compromised.

LOW Contains executable code -10

The skill includes JavaScript and Python executable code files, though the code appears to be standard HTTP client functionality.

INFO External URLs in documentation -5

The SKILL.md file contains references to external URLs, though these appear to be legitimate service documentation links rather than injection attempts.