ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Neural Memory

v4.47.0

Associative memory with spreading activation for persistent, intelligent recall. Use PROACTIVELY when: (1) You need to remember facts, decisions, errors, or...

7· 8.2k·73 current·78 all-time
byNGUYEN VIET NAM@nhadaututtheky
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (associative, persistent memory for agents) matches the runtime instructions (storing/recalling memories, auto-injecting context). However the registry/install metadata is inconsistent: SKILL.md instructs both pip (python) and npm installs using different package names (pip: 'neural-memory'; npm: 'neuralmemory'), while the registry 'install' entry claims a node-kind package named 'neural-memory' but labels it 'pip install neural-memory'. This mismatch could be an authoring error or indicate the registry entry points to the wrong package.
!
Instruction Scope
Instructions tell the agent/plugin to auto-inject context before each agent run and auto-capture facts/decisions/TODOs at agent end, and to create a local brain at ~/.neuralmemory. That behavior is coherent for a memory plugin but means conversation contents will be stored and re-inserted automatically — a significant privacy/ data-leak surface. The SKILL.md also instructs modifying openclaw.json and ~/.openclaw config, which is normal for plugins but is a system-level configuration change the user should consent to.
!
Install Mechanism
No code files are in the skill bundle (instruction-only), so runtime depends on external packages. The instructions ask for 'pip install neural-memory' (Python) and optionally 'npm install -g neuralmemory' (Node). The registry metadata's single install spec is inconsistent (kind: 'node' but label 'pip install neural-memory' and package name mismatch). Installing binaries from pip/npm is common, but the mismatch in package names/kind is an integrity red flag — verify which package(s) you will actually install and from which registry before running installs.
Credentials
Only one required env var is listed: NEURALMEMORY_BRAIN (declared as the primary credential). That appears to be a brain identifier/name rather than a secret API token; asking for one environment value is proportionate. However the skill will read and write to ~/.neuralmemory and may be configured via openclaw.json or MCP env entries, so check that NEURALMEMORY_BRAIN is not set to a secret value and that stored brain data does not inadvertently contain sensitive material.
Persistence & Privilege
always is false (good). The plugin is intended to be registered as the agent's memory slot and will auto-inject and auto-capture across runs; this gives it ongoing influence on agent behavior and a persistent datastore on disk (~/.neuralmemory). That is expected for a memory plugin but increases blast radius if the installed packages are malicious or misconfigured — consider limiting its scope or running in an isolated environment.
What to consider before installing
Before installing: (1) Verify package provenance and names — SKILL.md references two packages (pip: 'neural-memory' and npm: 'neuralmemory') but the registry metadata is inconsistent. Confirm the exact package(s) and inspect their source (PyPI/GitHub and npm) and release contents before installing. (2) Understand auto-capture/injection: the plugin will store conversation content under ~/.neuralmemory and automatically re-insert it into future agent runs — do not enable it if that data may include secrets. (3) Treat NEURALMEMORY_BRAIN as a configuration name, not a secret; ensure you are not placing sensitive tokens there. (4) Prefer installing in a sandbox or test agent first, review the installed package files (package.json, setup.py, or repository) and the plugin's built JS before enabling it in openclaw.json. (5) If you proceed, back up any existing OpenClaw config and the ~/.neuralmemory directory, and consider disabling autoCapture/autoContext until you are comfortable with behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6r61rxkac4vc9e7q5efw3h84ve5a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

brain Clawdis
OSmacOS · Linux · Windows
Binspython3
EnvNEURALMEMORY_BRAIN
Primary envNEURALMEMORY_BRAIN

Install

pip install neural-memory
Bins: nmem
npm i -g neural-memory

Comments