ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Elite Longterm Memory

v1.2.3

Ultimate AI agent memory system for Cursor, Claude, ChatGPT & Copilot. WAL protocol + vector search + git-notes + cloud backup. Never lose context again. Vib...

0· 78·0 current·0 all-time
by@jpengcheng523-netizen·duplicate of @itsjustfred/elite-longterm-memory-1-2-3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (agent long-term memory) matches the files and runtime behavior: creating SESSION-STATE.md, MEMORY.md, a memory/ directory, and CLI helpers is coherent. Requiring OPENAI_API_KEY for semantic search is reasonable. Minor provenance discrepancies: the registry Owner ID (kn751...) differs from _meta.json ownerId (kn7ewy...), and the skill metadata lists no homepage while package.json points to a GitHub repo — these inconsistencies weaken trust but do not by themselves indicate malicious behavior.
Instruction Scope
SKILL.md instructs the agent to create and modify workspace files (SESSION-STATE.md, MEMORY.md, memory/YYYY-MM-DD.md) and edit agent config (e.g., ~/.openclaw/openclaw.json) to enable LanceDB — all expected for a memory system. It also recommends optional external services (Mem0, SuperMemory) and shows commands that would send memory data to those third-party APIs; those are explicit but represent potential data exfiltration if used. Some referenced commands/files (e.g., python3 memory.py usage) are not included in the package — they appear to be integrations or examples rather than bundled code.
Install Mechanism
There is no automatic install script in the registry metadata (instruction-only). The package includes a small CLI (bin/elite-memory.js) and a package.json with an optional dependency (mem0ai). Nothing in the included files downloads or executes remote code. The only install action a user might take is optional 'npm install mem0ai' (explicit in docs). No suspicious download URLs or archive extraction are present.
Credentials
The skill declares a single required env var: OPENAI_API_KEY, which is proportionate for OpenAI-based semantic search. The SKILL.md and README also instruct users to export optional secrets (MEM0_API_KEY, SUPERMEMORY_API_KEY) for third-party integrations; those are optional but powerful (would allow sending memory data to external services). The skill does not request unrelated credentials, but users should be aware optional integrations will require additional keys.
Persistence & Privilege
always:false and normal autonomous invocation settings are fine. The skill writes files in the workspace and suggests editing the user's agent config (~/.openclaw/openclaw.json) to enable LanceDB — this is reasonable for a memory system. It does not request elevated or system-wide privileges, nor does it modify other skills' configuration beyond advising the user to enable a plugin.
What to consider before installing
This package appears to implement local, file-based agent memory and is largely coherent with that purpose, but exercise caution before enabling optional integrations. Actionable checks before installing: - Verify provenance: the registry Owner ID and the _meta.json ownerId do not match and the skill metadata showed no homepage; confirm the upstream GitHub repo and author before trusting it. - Do NOT export or provide MEM0_API_KEY or SUPERMEMORY_API_KEY unless you trust those third-party services — they would receive your agent's memory content (sensitive data). - Review the included files (bin/elite-memory.js, README, SKILL.md) yourself; the bundle is small and easy to inspect. The CLI only writes markdown files and checks for local LanceDB paths. - Be aware the skill instructs editing ~/.openclaw/openclaw.json to enable a memory plugin — back up that file first and inspect changes before applying them. - Note some examples reference external scripts (python3 memory.py) that are not bundled; these are integration examples, not hidden code. If you need higher assurance, ask the publisher for a canonical repository URL and a signed release, or run the package in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dhnsf4kywy0a70qc5x8sz0s83ha94

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvOPENAI_API_KEY

Comments