ClawHub

Zouroboros Memory

v3.0.0

Production-grade persistent memory for AI agents. Hybrid SQLite + vector search, decay classes, episodic memory, cognitive profiles, and MCP server.

1· 50·0 current·0 all-time
by@marlandoj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the code and files: a Node.js package that provides persistent memory (SQLite schema, embeddings, episodic memory, graph, MCP server, CLI). Required binary (node) and npm install are appropriate for this functionality.
Instruction Scope
SKILL.md and README show normal, scoped runtime instructions (npx CLI, start MCP server, init DB, store/search facts). The runtime code will call external services only when vectorEnabled or reranker features are enabled (calls to Ollama endpoints and OpenAI API). The skill also reads/writes a local DB path (~/.zouroboros/memory.db) and can read files for batch import — these are expected for a persistent memory tool but should be noted.
Install Mechanism
Install spec is an npm package (zouroboros-memory) that creates two binaries — expected. It depends on better-sqlite3 (native addon compiled on install), which raises the usual native-build/supply-chain considerations but is proportionate to embedding a local SQLite storage engine.
!
Credentials
Registry metadata declared no required env vars, but the code/README use several optional env vars (ZO_MEMORY_DB / ZOUROBOROS_MEMORY_DB, OLLAMA_URL, OLLAMA_MODEL, OPENAI_API_KEY, ZO_OPENAI_API_KEY). Those are functionally justified (DB override, enabling embeddings via Ollama, enabling OpenAI reranker) but the metadata omission is an inconsistency. Enabling vector or reranker features will send content to external endpoints (ollama host or api.openai.com), which can leak sensitive data if unintentionally enabled.
Persistence & Privilege
always:false (normal). The package will create and persist a database under the user's file system (default ~/.zouroboros/memory.db) and write migration tables, indices, and embeddings; this is expected and required for a memory skill but is a persistent local footprint the user should accept explicitly.
Assessment
This skill appears to implement what it claims: a local hybrid SQLite + vector memory with CLI and an MCP server. Before installing, consider: - If you enable vector search or reranking, the skill will send text to external services (OLLAMA_URL or OpenAI). Only set these env vars if you trust the destination (prefer a local Ollama instance). - The package writes a database by default to ~/.zouroboros/memory.db — pick and review the DB path if you don't want persistent data in your home directory. - The npm package depends on better-sqlite3 (native addon) which compiles on install — review/build in a controlled environment if you have supply-chain concerns. - Registry metadata did not declare env vars or the config path; this is likely an oversight. Verify the upstream repository and package integrity (check GitHub releases, package contents, and package checksum) before installing into a production agent. - For minimal risk, run the package in a sandboxed environment, avoid setting OPENAI_API_KEY or OLLAMA_URL to public endpoints, and audit network activity the first time the skill runs.
dist/chunk-CIYBIABX.js:317
Environment variable access combined with network send.
dist/index.js:704
Environment variable access combined with network send.
src/llm.ts:44
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xaxkn94y3h4n5wqchnf42h84s7wt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binsnode

Install

Install Zouroboros Memory (npm)
Bins: zouroboros-memory, zouroboros-memory-mcp
npm i -g zouroboros-memory

Comments