Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Human-Like Memory
v0.7.4Long-term memory for conversations: recall past discussions, save important info, search memories
⭐ 0· 21·0 current·0 all-time
byHumanLikeTeam@humanlike2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description align with behavior: the skill requires Node and an API key and its scripts call the human-like.me API to save/search/recall memories. Declared secrets in skill.json match what the code reads. No unrelated cloud credentials or unexpected binaries are requested.
Instruction Scope
Runtime instructions (SKILL.md + scripts) instruct reading ~/.openclaw/secrets.json or env vars, running the memory.mjs CLI (recall/save/save-batch/search), and periodically calling the remote API. This is within the skill's claimed scope. Two caution points: (1) default mode (alwaysRecall: true) will cause recall on every turn — increasing how often context is sent to the remote API; (2) SKILL.md tells the agent 'never store secrets' but there is no programmatic filtering in the code — any secret included in messages passed to save or save-batch will be transmitted to the remote service.
Install Mechanism
No remote downloads or extract steps in the install spec (it's instruction/code bundle). setup.sh manipulates a local secrets.json using jq/python/node if present; no network installers or URL-shortened downloads. Including source files in the skill is expected for a CLI-based skill.
Credentials
Only HUMAN_LIKE_MEM_API_KEY is required (primary credential). Optional BASE_URL, USER_ID, AGENT_ID are supported. The requested envs are proportional to the memory service. However, the code will transmit message contents (user and assistant text) to the remote API — so if the user or agent supplies secrets in conversation, those will be sent. The SKILL.md advises not to store secrets but there is no defensive sanitization in the code.
Persistence & Privilege
The skill is not always: true and does not request elevated platform privileges. It writes only its own secrets entry and config under ~/.openclaw and does not modify other skills or global agent settings. Autonomous invocation is allowed by default, which is normal.
Assessment
This skill appears to be what it claims: a Node-based CLI that sends conversation text to https://plugin.human-like.me using an API key you supply. Before installing, consider: (1) Privacy: the skill will transmit user and assistant messages (including any embedded secrets) to the remote service — avoid passing passwords, API keys, or other sensitive tokens in conversation or use <private> tags (the code does not enforce filtering). (2) Defaults: alwaysRecall: true causes recall queries on every turn; disable it if you want fewer network calls and less data exposure. (3) Trust the endpoint: verify the service's privacy policy and retention practices for plugin.human-like.me and ensure you trust the API key. (4) Review secrets handling: setup.sh writes to ~/.openclaw/secrets.json; ensure that file is stored securely. If you need local-only memory or stronger secrecy guarantees, do not install this skill or run it with a deliberately limited/test API key first.test/test-memory.mjs:27
Shell command execution detected (child_process).
scripts/memory.mjs:41
Environment variable access combined with network send.
scripts/memory.mjs:13
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97bkzbme2m4gteg3ban5tzd1d84as5f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis
Binsnode
EnvHUMAN_LIKE_MEM_API_KEY
Primary envHUMAN_LIKE_MEM_API_KEY