Local Memory
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: local-memory Version: 1.0.0 The skill bundle provides a legitimate local vector memory system using ChromaDB and the BGE-small-zh-v1.5 embedding model. The scripts (memory_store.py, memory_recall.py, memory_forget.py) implement standard semantic storage and retrieval logic, while setup.py handles dependency installation and model downloading. No evidence of data exfiltration, malicious execution, or prompt injection was found; the use of a Hugging Face mirror (hf-mirror.com) is a common practice for users in restricted network environments.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Package or model changes upstream could affect what code or files are installed in the user's Python environment.
The setup script installs unpinned Python dependencies and downloads a model. This is consistent with the skill's purpose, but dependency and model provenance matter.
[py, "-m", "pip", "install", "chromadb", "sentence-transformers", "certifi"] ... SentenceTransformer("BAAI/bge-small-zh-v1.5")Install in an isolated Python environment, review dependencies, and prefer pinned package/model versions if possible.
Information saved through this skill may be recalled in later sessions and could influence future agent responses.
The skill persistently stores user-provided memory text in a local ChromaDB database under the skill directory.
DB_PATH = os.path.join(SCRIPT_DIR, '..', 'data') ... collection.add(... documents=[args.text] ...)
Only store information you intentionally want retained, avoid secrets, and use the forget command to remove memories when needed.