Elite Longterm Memory 1.2.3
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: elite-longterm-memory-1-2-3 Version: 1.0.0 The skill is classified as suspicious due to two main indicators found in `SKILL.md`. First, the agent instruction to "Store in Git-Notes (SILENTLY)" allows the agent to perform actions without explicit user notification, which is a risky capability that could be abused, even if its stated purpose here is benign. Second, the use of `$DIR` in commands like `python3 memory.py -p $DIR remember ...` presents a potential shell injection vulnerability if the agent's execution environment does not properly sanitize or quote the variable, although the skill itself does not demonstrate malicious intent by crafting a harmful payload for it. The `bin/elite-memory.js` script performs only local file operations and is benign.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Saved memories may influence future agent behavior, including if incorrect or sensitive facts are stored.
The skill intentionally stores and retrieves persistent context that can be injected into later agent sessions.
Semantic search across all memories. Auto-recall injects relevant context.
Review memory files and vector-memory settings periodically, and avoid storing secrets or unverified instructions as durable memory.
If enabled, parts of your conversation or memory may be sent to third-party memory services.
The docs describe optional external memory providers that can receive stored context or conversation messages.
CLOUD BACKUP (SuperMemory) — Optional ... Cross-device sync ... await client.add(messages, { user_id: "user123" });Enable cloud backup or Mem0 only if you trust the provider, understand retention settings, and are comfortable syncing that data.
Provider credentials may be used for embeddings, memory search, or external memory features.
The skill requires an OpenAI API key for the advertised memory-search workflow and documents optional keys for cloud memory providers.
requires:\n env:\n - OPENAI_API_KEY
Use least-privilege API keys where possible, keep them out of memory files, and rotate them if exposed.
Running this command can permanently remove stored vector memories.
The documentation includes a destructive command that deletes the LanceDB vector-memory directory.
rm -rf ~/.openclaw/memory/lancedb/
Only run reset/delete commands intentionally, after backing up any memory data you want to keep.
You may run code from an external package source when following the CLI setup instructions.
The README tells users to execute the package through npx, which can fetch and run code from the package registry.
npx elite-longterm-memory init
Install from a trusted registry, consider pinning a version, and review the package before running it in sensitive workspaces.