luci-memory
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: luci-memories Version: 1.0.0 The skill provides a legitimate interface for searching personal video memory and portrait data via the Luci-memory API. It includes functionality for managing an API key, resolving user IDs, and retrieving media content like transcripts and images. The code in `scripts/run.py` and instructions in `SKILL.md` are consistent with the stated purpose, and all network communication is directed to the service's own domains (memories.ai).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill directory or environment may be able to reuse the Memories.ai key to access the user's memory data.
The skill intentionally persists a sensitive API key for later account access. This is purpose-aligned, but users should understand the credential storage behavior.
When the user provides their key, save it to `{baseDir}/.env`... the key is loaded automatically from `.env` on every run.Provide the key only if you trust the skill and host environment; remove the .env file or revoke the key when it is no longer needed.
Search terms and returned memory content may involve personal videos, images, transcripts, traits, events, relationships, and speeches.
The skill sends credential-backed requests and personal search queries to external Memories.ai endpoints. This is expected for the service, but it is a sensitive data boundary.
API_HOST = "https://skills.memories.ai/luci-memory" ... USERINFO_API = "https://mavi-backend.memories.ai/serve/api/userinfo"
Install only if you trust the Memories.ai service and are comfortable with the agent querying that personal data on your behalf.
Private photos or keyframes could be posted to a chat target if the agent follows this flow without careful context.
The skill documents a workflow for downloading private images/keyframes and sending them into chat. This is aligned with returning media to the user, but it can expose private images if used in the wrong channel.
curl -sL -o /path/to/workspace/image.jpg "https://skills.memories.ai/luci-memory/personal/image?bucket=<bucket>&blob=<blob>" ... openclaw message send --channel <channel> --target <chat_id> --media /path/to/workspace/image.jpg
Only ask the agent to send images in trusted chats, and verify the destination before sharing sensitive media.
Users have less external context for verifying who maintains the skill or where the code came from.
The registry metadata does not provide a source repository or homepage, which limits provenance review for a skill that handles credentials and private data.
Source: unknown; Homepage: none
Prefer installing only if you recognize the publisher or can independently verify the skill's origin.