ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Memento

v0.6.0

Local persistent memory for OpenClaw agents. Captures conversations, extracts structured facts via LLM, and auto-recalls relevant knowledge before each turn....

0· 734·1 current·1 all-time
byBenjamin RAIBAUD@braibaud
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (local persistent memory + LLM extraction) match the code, data paths (~/.engram/conversations.sqlite and JSONL backups), optional LLM API keys, and an npm install. No unrelated credentials, binaries, or unexpected system paths are required.
Instruction Scope
Runtime instructions and SKILL.md are explicit about behavior: capture every conversation, store locally, and only send text to an external LLM when `autoExtract` (opt-in) is enabled. Migration tooling can read user workspaces (via a user-provided migration-config.json or MEMENTO_WORKSPACE_MAIN) to bootstrap the KB — this is powerful and documented, but it means large local files (including potential secrets) can be ingested if the user opts into migration. The docs warn about cloud LLM leakage and recommend local Ollama for air-gapped operation.
Install Mechanism
Install uses an npm package (@openclaw/memento). That is proportionate for a TypeScript/Node plugin. Package files (package.json, package-lock.json, source files) are present; no arbitrary external download URLs or opaque extract steps are declared in SKILL.md.
Credentials
No required env vars; optional env vars map directly to supported LLM providers (ANTHROPIC_API_KEY, OPENAI_API_KEY, MISTRAL_API_KEY, MEMENTO_API_KEY) and migration settings. CLAUDE_CODE_OAUTH_TOKEN is listed as an OpenClaw internal token that may be auto-used when running inside OpenClaw — this is expected for a plugin that delegates model routing to the host, but users should know platform-level tokens may be consulted when Memento runs inside OpenClaw.
Persistence & Privilege
always:false and user-invocable:true. The plugin stores data locally and registers capture/recall hooks (normal for a memory plugin). It does not demand always-on inclusion or system-wide config changes beyond its own data files.
Assessment
What to consider before installing: - Defaults are privacy-first, but extraction that sends text to cloud LLMs is opt-in (extraction.autoExtract defaults to false). Keep autoExtract off if you do not want any conversation text sent to external providers. - If you want fully air-gapped operation, run a local Ollama model and configure extractionModel to an ollama/* model; no cloud API key needed. - Migration is powerful: the migrate tooling can read workspace files specified in ~/.engram/migration-config.json or via MEMENTO_WORKSPACE_MAIN. Only run migration if you trust the configured paths and have reviewed which files will be ingested (these can include large or sensitive local files). - Data is stored at ~/.engram/conversations.sqlite and ~/.engram/segments/*.jsonl — inspect, back up, or encrypt these files if needed. - The plugin delegates model routing to OpenClaw when run inside the platform and may use platform tokens (CLAUDE_CODE_OAUTH_TOKEN) for routing; verify your OpenClaw auth policy if you want to limit which models/providers are used. - The install is via npm (@openclaw/memento). As with any third-party package, consider reviewing the package source or installing in a sandbox before granting it access to production workspaces. Confidence note: High — the repository, SKILL.md, and changelog are internally consistent. The main risks are user-configured behaviors (enabling autoExtract or running migration) rather than silent or unexpected access.

Like a lobster shell, security has layers — review code before you run it.

latestvk977xng613wpxc99800v76ywv9822gf8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis

Install

Install Memento plugin (npm)npm i -g @openclaw/memento

Comments