Ultra Memory

This skill appears to do what it claims (a persistent multi-layer memory for agents), but it encourages automatic logging of many types of data (user messages, assistant replies, file paths, command strings, details) which can capture secrets or sensitive information if not configured correctly. Before installing or enabling: - Review the scripts (init.py, log_op.py, recall.py, restore.py, mcp-server.js, platform/server.py, clawbot_hook.py) to confirm what gets read/written and when. - Run the REST/MCP server only on localhost (127.0.0.1) unless you add authentication; avoid starting with --host 0.0.0.0. - Set ULTRA_MEMORY_HOME to a controlled path and restrict permissions (chmod 700 ~/.ultra-memory). - Configure sensitive_patterns and skip_paths in config.json to redact or skip any application-specific secrets (API keys, token patterns, ~/.ssh, /etc, etc.). Do not rely solely on the 'Do NOT log secrets' guidance — implement explicit filters. - If you plan to enable team/shared modes (S3, NAS), review the sharing/authentication setup and only provide credentials after auditing code that performs syncs. - Avoid enabling automatic hooks (clawbot hooks, automatic post_turn logging) until you’re confident about what will be logged. Prefer manual or audited logging calls. - Consider running the skill in an isolated environment (container or dedicated user account) first, and test what gets written to ops.jsonl/knowledge_base before using on sensitive projects. If you want, I can: list exact places in the code where user messages, file contents or command lines are written to disk (file names and functions), or suggest concrete config edits (regex patterns and skip_paths) to reduce leak risk.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.