Mem0
v1.0.0Intelligent memory layer for Clawdbot using Mem0. Provides semantic search and automatic storage of user preferences, patterns, and context across conversati...
⭐ 3· 2.1k·22 current·25 all-time
byAbhay Bhat@abhayjb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description match the code: it implements a mem0 memory layer. However the registry metadata claims no required env vars and no required binaries, while the scripts and SKILL.md clearly require Node.js and an OPENAI_API_KEY. That mismatch is unexplained and disproportionate to the documented purpose (the skill legitimately needs the OpenAI key and node runtime but failed to declare them).
Instruction Scope
SKILL.md instructions stay on-topic (search before responding, add/list/delete memories). They instruct running the included Node scripts which call mem0 APIs and use the OPENAI_API_KEY for embeddings and extraction. Instructions also instruct storing a SQLite DB under ~/.mem0/history.db; that's within scope for a memory layer but is a persistence and privacy consideration. There are no obvious instructions to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
This is marked as an instruction-only skill (no install spec), yet the package.json/package-lock and scripts indicate Node code with an npm dependency (mem0ai). The skill does not declare that Node or npm must be available, nor does it provide an install step for dependencies. That makes the runtime behavior unclear and could surprise users (scripts will fail or behave inconsistently if dependencies are not installed).
Credentials
The code and SKILL.md explicitly require OPENAI_API_KEY (and optionally JSON_OUTPUT env var) but the registry metadata lists no required environment variables or primary credential. Requesting an OpenAI API key is reasonable for this function, but it must be declared. The scripts also default to a hardcoded USER_ID 'abhay', which is an odd/poorly generalized default and may expose or entrench a specific identity in a shared environment.
Persistence & Privilege
The skill writes persistent files to the user's home directory (~/.mem0/history.db) and uses a local vector store. That persistence is expected for a memory layer. always is false and the skill does not request system-wide config changes or other skills' credentials. Still, persistent local storage and autonomous model invocation (allowed by platform defaults) mean the skill can repeatedly access and store user data during use.
What to consider before installing
Before installing, be aware this skill expects you to run Node scripts and to provide an OPENAI_API_KEY (even though the registry metadata omits them). It will create a local DB under ~/.mem0 and send text to OpenAI for embeddings and extraction. Recommended steps: (1) only install if you are willing to provide an OpenAI key and allow local persistent storage; (2) run the package in an isolated environment and npm install the dependencies yourself (review package-lock); (3) consider creating an OpenAI key with limited scope or billing limits; (4) change the hardcoded USER_ID and review what memory types will be stored (avoid storing secrets); (5) if you need the skill to be non-autonomous, ensure agent invocation policies prevent automatic runs. The primary issues are metadata omissions (Node and OPENAI_API_KEY) and lack of an install procedure — these should be resolved or understood before trusting the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97fvnexzwa8bzbzvatsym6t7d821bhw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.