ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Elite Longterm Memory 1.2.3

v1.0.0

Ultimate AI agent memory system for Cursor, Claude, ChatGPT & Copilot. WAL protocol + vector search + git-notes + cloud backup. Never lose context again. Vib...

0· 1.2k·21 current·25 all-time
by@itsjustfred
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality (WAL file, MEMORY.md, daily logs, simple CLI) aligns with the described 'long-term memory' purpose. However the package/registry metadata is inconsistent (registry lists version 1.0.0 while package.json/SKILL.md show 1.2.3; ownerId values differ; registry lists no homepage but package.json contains a GitHub URL). The SKILL.md and README reference running npm and python3 and enabling a LanceDB plugin, but the declared required binaries list is empty — the skill includes a Node CLI, so node/npm should be declared. These mismatches suggest sloppy packaging or poor provenance.
Instruction Scope
Runtime instructions are largely scoped to creating and managing local files (SESSION-STATE.md, MEMORY.md, memory/*) and recommending configuration changes to agent config files (e.g., ~/.openclaw/openclaw.json or ~/.clawdbot/clawdbot.json). The docs also reference optional external services (SuperMemory, Mem0) and example commands that call python3 memory.py (a script not included in the bundle) and npm install mem0ai. The instructions therefore rely on external tooling and optional keys; they do not attempt to read unrelated system secrets, but they do instruct users to modify agent config files and to export API keys if they opt into cloud services.
Install Mechanism
There is no install spec (instruction-only), which reduces risk. The bundle includes a Node CLI (bin/elite-memory.js) and a package.json listing mem0ai as optionalDependency. Because the skill contains executable JS, installing or executing it (npx or node) will write files in the user's workspace. No downloads from arbitrary URLs are present in the bundle. Still, the presence of a CLI means the user should inspect the script before running it.
Credentials
Declared required env vars are limited to OPENAI_API_KEY, which is plausible for memory search/semantic recall. The SKILL.md and README mention additional optional keys (MEM0_API_KEY, SUPERMEMORY_API_KEY) for optional integrations; those are not required by default. No unrelated credentials (AWS, GitHub tokens, etc.) are requested. However, the skill references external services that would require more secrets only if the user opts in.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. The CLI only writes files into the current working directory and checks for a LanceDB path under HOME; it does not modify other skills or system-wide agent code by itself. The SKILL.md asks the user to edit agent config files if they want to enable the LanceDB plugin — it does not perform those edits automatically.
What to consider before installing
This skill appears to implement a local file-based memory system and a small Node CLI that initializes SESSION-STATE.md, MEMORY.md, and daily logs. Before installing or running it: 1) Verify the package provenance (registry metadata has mismatched version and ownerId vs package.json/_meta.json and homepage), and prefer an official GitHub/npm release if available. 2) Inspect bin/elite-memory.js yourself — it writes files in the working directory (benign for a memory tool) but it's executable JS so only run it if you trust the author. 3) Expect to need node/npm (and optionally python3) even though required binaries are not declared; ensure those tools are available. 4) Be cautious when enabling optional cloud features (Mem0, SuperMemory) — they require separate API keys and will send data to external services. Only provide keys you trust and understand what data will be uploaded. 5) If provenance is unclear, prefer to recreate the simple file templates yourself rather than running the CLI. These inconsistencies lower confidence in packaging quality; proceed only after manual review or obtaining the code from a verified upstream source.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a9evqe8rstehcyxjb0h693581nzvf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvOPENAI_API_KEY

Comments