ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Human-Like Memory Plugin

v0.4.4

Long-term memory plugin for OpenClaw: automatic recall, storage, and agent tools

0· 17·0 current·0 all-time
byHumanLikeTeam@humanlike2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (long‑term memory plugin) align with the code and docs: the plugin injects recalled memories and stores conversation turns to a remote memory service (plugin.human-like.me). Requesting an API key for a remote memory backend is expected. However the registry metadata provided at the top lists no required environment variables or primary credential while openclaw.plugin.json and SKILL.md both require/configure an API key (mp_xxx). That mismatch is inconsistent and should be clarified with the publisher.
Instruction Scope
SKILL.md instructs expected setup steps (install plugin, configure API key, set memory slot, enable recall/storage). The runtime code (index.js) includes extensive parsing of channel-formatted messages (Feishu, Discord) and logic to extract message_ids/platform user ids — behavior that goes beyond generic text trimming and will capture platform identifiers and message traceability metadata alongside user content. Capturing those identifiers is explainable for traceability but is privacy‑sensitive and should be disclosed to operators/users.
Install Mechanism
No separate install spec (instruction-only install via openclaw plugins). The plugin ships executable extension files (index.js) that will run inside OpenClaw; there is no external download URL or archive extraction in the package metadata. That is low risk in install mechanism terms.
!
Credentials
The plugin requires an API key and a baseUrl (plugin.human-like.me) to function; that is proportional for a remote memory backend. But the registry summary stated 'Required env vars: none' which contradicts openclaw.plugin.json where apiKey is required (env HUMAN_LIKE_MEM_API_KEY). Additional concerns: the code explicitly extracts platform-specific IDs and message_id blocks and will likely send them to the remote service, meaning the plugin transmits not just user text but platform identifiers/trace metadata. Also package.json declares a dependency on '@humanlikememory/human-like-mem' (itself), which is an odd/self-referential dependency and may indicate packaging problems or unexpected behavior.
Persistence & Privilege
The plugin is not configured as always: true and does not request system-level privileges in the manifest. It registers runtime hooks and agent tools (memory_search/memory_store) as expected for a memory plugin. Agent autonomous invocation is allowed (disable-model-invocation is false), which is the platform default and not flagged on its own.
What to consider before installing
This plugin behaves like a remote memory backend — it will (by design) send conversation content to plugin.human-like.me and can extract platform identifiers and message_ids from channel-formatted inputs. Before installing: 1) Confirm the apparent metadata mismatch (registry shows no required env var while the plugin requires an API key) with the publisher. 2) Review the privacy/security posture of the remote service (who controls plugin.human-like.me, retention policy, encryption, access controls). 3) Consider disabling automatic recall/storage or using a dedicated test account/API key until you audit network traffic to see exactly what is transmitted. 4) Ask the author about the self-dependency in package.json and verify the published package source (the package references a private GitLab repo and a dependency on itself is unusual). If you need lower risk, prefer a memory plugin that stores data locally or in a vetted cloud service you control.
index.js:496
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dh5psekz58eb92drhamtefd84breq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis

Comments