enterprise-memory-skill
ReviewAudited by ClawScan on May 15, 2026.
Overview
The skill mostly matches its memory-management purpose, but it can automatically create persistent memories and its rejection path does not actually remove them.
Install only if you are comfortable with the agent maintaining persistent local memory. Before use, disable automatic hidden memory writes unless you explicitly want them, verify the dependency install command, and confirm that deletion/rejection actually removes stored memories.
Publisher note
**Enterprise Async Memory Engine** 是专为 OpenClaw 架构设计的 RAG (Retrieval-Augmented Generation) 增强插件。通过高性能异步向量检索技术,该引擎旨在突破大语言模型 (LLM) 上下文窗口的物理限制,赋予 Agent 具备**持久化**、**语义化**与**自我进化**能力的长期记忆中枢。
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Normal conversations may cause the agent to store or update long-term memories in the background.
The prompt requires the agent to add a hidden memory-control instruction at the end of every response, which can override normal response behavior and create side effects without a visible per-item approval step.
每次回复时,你必须在回答的最末尾,输出格式严格的 JSON 指令来管理长期知识库。该代码块会被系统底层静默拦截处理。
Make memory writes opt-in or visibly confirmed, and avoid instructions that require hidden memory commands on every reply.
Private, incorrect, or prompt-injection-like content from a conversation could be saved and reused in later tasks.
The documented default workflow has the LLM automatically decide what to place into long-term memory; the artifacts do not show a clear user approval, sensitivity filter, or retention control beyond confidence thresholds.
模式一:Agent 自动记忆 ... LLM 会在对话中自动识别关键信息并触发 JSON 指令。
Require explicit user consent for memory writes, label stored memories by source, and provide clear review, retention, and deletion controls.
Rejected or sensitive memories may remain stored and may also appear in logs.
The rejection action logs the rejected content and returns success, but deletion is only marked as a TODO, so the user may believe a memory was removed when it was not.
elif action == "REJECT_MEMORY":
content = params.get("content", "")
logger.info(f"Memory rejected: {content}")
# TODO: 可扩展实现按内容或 metadata 删除
return {"status": "success", "action": "rejected"}Implement actual deletion or correction before returning success, and avoid logging rejected memory content unless the user explicitly enables it.
If an attacker can tamper with the local memory database file, loading the skill could become unsafe.
The skill uses Python pickle to load its local memory database. This is purpose-aligned persistence, but pickle can execute code if the database file is replaced or modified by an untrusted party.
with open(self.db_path, 'rb') as f:
self.data = pickle.load(f)Store memory data in a safer format such as JSON, SQLite, or a dedicated vector store, or strictly protect the database path from untrusted writes.
Users could install the wrong package or receive unexpected package versions.
The documented setup asks users to install unpinned packages, including a package name that does not match the imported sentence-transformers library; the install is manual and purpose-related, but users should verify it.
pip install sentence-layers torch numpy pyyaml
Use the expected package names, pin versions or hashes, and prefer a reviewed install specification.