Nima Core
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: nima-core Version: 3.1.5 The nima-core skill bundle is a highly professional and security-conscious memory and affect system for AI agents. The codebase demonstrates significant security maturity, including explicit mitigations for Cypher injection in nima_core/hive_mind.py (addressing LadybugDB's lack of parameterized queries), path traversal protection in nima_core/storage/hybrid_search.py, and a critical transition from insecure pickle serialization to HMAC-signed JSON in nima_core/cognition/sparse_block_memory.py. The installation and maintenance scripts (install.sh, doctor.sh) follow best practices, such as avoiding arbitrary shell execution when parsing environment variables. All declared permissions and network calls to voyage.ai or openai.com are strictly aligned with the stated purpose of generating embeddings for semantic recall.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing could run and persist code from a remote branch that was not the exact reviewed package version.
The installer pulls a mutable remote branch and deploys its hooks into the local OpenClaw extensions directory, so the installed code may differ from the reviewed registry artifact.
BRANCH="release/v3.3.3" ... git clone https://github.com/lilubot/nima-core.git . ... git checkout "$BRANCH" ... cp -r "openclaw_hooks/$hook" "$EXTENSIONS_DIR/"
Install only from a pinned, reviewed release or commit; inspect the cloned repository before running the installer; prefer a virtual environment and avoid unreviewed updates.
After installation, the agent can keep capturing and using memory in future sessions, not just during one task.
The skill intentionally installs persistent hooks that continue operating across conversations until disabled.
Three hooks run invisibly on every message: ... nima-memory ... nima-recall-live ... nima-affect
Enable only the hooks you want, review OpenClaw plugin configuration, and remove the NIMA entries if you no longer want persistent memory.
Past private or misleading conversation content may be remembered and influence future agent responses.
The skill stores conversation history and later injects retrieved memories into agent context, which is central to its purpose but can retain sensitive or poisoned content.
nima-recall-live ... Searches memories ... Injects top results as context (3000 token budget) ... nima-memory ... Captures conversation ... Store in SQLite
Review what is stored under ~/.nima, keep subagent/heartbeat filtering enabled, and periodically prune or delete memories you do not want reused.
If you choose a hosted embedding provider, conversation text may be sent to that provider and billed to your API key.
The skill can use third-party provider credentials and send text to external embedding APIs when configured.
VOYAGE_API_KEY ... Required when NIMA_EMBEDDER=voyage ... OPENAI_API_KEY ... Required when NIMA_EMBEDDER=openai ... sends text for embeddings
Use local embeddings if you want offline operation; otherwise use scoped provider keys and review provider privacy/billing terms.
If enabled, older conversation transcripts may leave the local machine for external LLM processing.
The optional memory-pruning workflow can send stored conversation content to an LLM for distillation.
Every conversation older than N days gets sent through an LLM, compressed into a compact semantic gist
Do not enable live pruning or scheduled cron pruning unless you have reviewed the LLM provider configuration and are comfortable sending that data.
If enabled, memories from one agent may be visible to or used by another agent.
The artifacts document optional cross-agent memory sharing, which is sensitive even if purpose-aligned.
Hive Mind ... Multi-agent memory sharing via shared DB + optional Redis pub/sub. build_agent_context() aggregates memories across agents
Keep multi-agent sharing disabled unless needed, and isolate shared databases or Redis instances by project or trust boundary.