Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mem0 Tech Tree Memory
v5.0.0Manage and explore a tech tree of knowledge nodes with dependencies, unlock paths, synergies, tiers, and mastery progress tracking.
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md and mem0_skill.py align: a local tech-tree memory manager that reads/writes tree.json and provides store/retrieve/list/etc. However package.json declares an npm dependency (mem0ai) and Node metadata while the runtime is Python — this is disproportionate and unexplained.
Instruction Scope
SKILL.md only instructs running the included Python script (store/retrieve/tree/info/list/clear). The instructions describe local operations on the tech tree; they do not request external endpoints, credentials, or reading unrelated system paths. Based on the visible Python code, operations are local (load/save tree.json, tokenization, graph analysis).
Install Mechanism
There is no install spec (instruction-only), which is low risk. But package.json is present with an npm dependency (mem0ai). If someone runs npm install this could pull external code; that behavior is not required by the SKILL.md and is unexpected.
Credentials
The skill declares no required environment variables or credentials and the SKILL.md does not ask for any. The tree.json sample contains entries mentioning tools and configured services (OpenAI, OpenClaw, launchd) but these are content strings, not authorization requests. Still, the presence of those strings is informational and not a declared requirement.
Persistence & Privilege
Skill does not request always:true and is user-invocable only. It persists only to its own tree.json file (read/write in same directory). It does not request system-wide config changes or modify other skills.
What to consider before installing
This skill appears to implement a local tech-tree manager and the SKILL.md and Python code are largely coherent with that purpose. However: (1) Inspect the full mem0_skill.py before running — search for network, http, socket, subprocess, os.system, urllib, requests, or any hardcoded endpoints; the file was truncated in the package listing so verify there are no unexpected external calls. (2) Do not run npm install in this directory unless you trust the mem0ai package author — package.json lists an unrelated Node dependency that the Python script doesn't need. (3) Back up tree.json before using store/clear and run the script under a non-privileged user or in an isolated environment (container/VM) first. (4) If you plan to use it long-term, consider running it in a virtualenv and auditing third-party imports (jieba, etc.). If you want, I can scan the remainder of mem0_skill.py for network or subprocess usage if you paste the truncated portion.Like a lobster shell, security has layers — review code before you run it.
aivk97brcfv6ce958nmdenhvh1hpx83pwbvcognitivevk97brcfv6ce958nmdenhvh1hpx83pwbvknowledge-graphvk97brcfv6ce958nmdenhvh1hpx83pwbvlatestvk97brcfv6ce958nmdenhvh1hpx83pwbvmemoryvk97brcfv6ce958nmdenhvh1hpx83pwbvtech-treevk97brcfv6ce958nmdenhvh1hpx83pwbv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.