Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Elite Longterm Memory
v1.2.4Ultimate AI agent memory system for Cursor, Claude, ChatGPT & Copilot. WAL protocol + vector search + git-notes + cloud backup. Never lose context again. Vib...
⭐ 0· 80·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (long-term memory with vector search, git-notes, WAL, cloud backup, Mem0 auto-extraction) broadly matches the included CLI, templates, and documentation. However, the declared runtime requirement lists only OPENAI_API_KEY while SKILL.md and README repeatedly reference SUPERMEMORY_API_KEY, MEM0_API_KEY, LanceDB, and external tools (python memory.py, supermemory, mem0ai). The included bin/elite-memory.js performs only local file/directory creation and status checks — it does not implement vector search, git-notes syncing, or cloud backup. Requiring only OPENAI_API_KEY is plausible for an OpenAI-backed memory search, but it's incomplete relative to the advertised integrations.
Instruction Scope
SKILL.md instructs the agent/user to: edit ~/.openclaw/openclaw.json, enable a LanceDB plugin, set SUPERMEMORY_API_KEY and MEM0_API_KEY, install mem0ai, and run python3 memory.py commands. memory.py is referenced but not included in the package. The instructions therefore ask the agent to access/edit config files outside the workspace and to call external cloud services (SuperMemory, Mem0) — neither of which are reflected in the declared environment requirements. This is scope creep and could lead to inadvertent transmission of user data to third-party services if keys are provided.
Install Mechanism
There is no automated install spec (instruction-only skill plus included small npm package manifest). The package.json lists mem0ai as an optionalDependency (no automatic install here in OpenClaw). No downloads from arbitrary URLs or extract steps are present. The only included executable (bin/elite-memory.js) writes local files. Overall install risk is low, but the documentation expects users to npm install optional components (mem0ai) and to configure external services manually.
Credentials
Registry metadata requires only OPENAI_API_KEY, which makes sense if the skill uses OpenAI for semantic search. But SKILL.md and README reference additional sensitive env vars (MEM0_API_KEY, SUPERMEMORY_API_KEY) and examples that would transmit conversation data to third-party services. Those additional credentials are not declared in requires.env. The package also documents optional mem0 integration. The mismatch means the skill could lead users to provide extra credentials without those being reflected in the skill’s declared requirements or inspected code.
Persistence & Privilege
The skill is not marked 'always:true' and does not request elevated persistent presence. The included CLI writes files only into the current workspace and checks a path under the user's HOME for an optional LanceDB directory. It does not modify other skills' configs or system-wide settings (beyond instructing the user to edit ~/.openclaw/openclaw.json). Autonomous invocation is allowed by default but is not combined with other high-risk indicators here.
What to consider before installing
This skill mainly scaffolds a local memory folder and templates (SESSION-STATE.md, MEMORY.md, daily logs) and the included CLI is small and local. However, the documentation expects you to enable LanceDB, run an external python memory tool (memory.py, which is not included), and optionally send data to third-party services (Mem0, SuperMemory) using MEM0_API_KEY and SUPERMEMORY_API_KEY — those keys are not declared in the skill metadata. Before installing or running: (1) inspect bin/elite-memory.js (it only creates files) and confirm you are okay with it writing to the current workspace; (2) do not export SUPERMEMORY_API_KEY or MEM0_API_KEY unless you trust those services and understand they will receive conversation data; (3) find and review any referenced scripts (e.g., memory.py) before executing them; (4) if you plan to enable cloud backups or auto-extraction, verify the privacy policy and where data is sent; (5) consider contacting the publisher or locating the GitHub repo to confirm authenticity. These mismatches explain the 'suspicious' verdict; adding the missing files, explicit declared env vars, or removing references to external services would raise confidence toward 'benign.'Like a lobster shell, security has layers — review code before you run it.
latestvk978bqahjhv43m51cg4zb2kfqn83hxzd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis
EnvOPENAI_API_KEY