Mem0 Config
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Conversation details may be stored and reused later, potentially exposing sensitive information or causing stale/incorrect memories to influence future agent behavior.
The documented defaults automatically persist and re-inject memories. The skill does not clearly specify what information is filtered out, how long it is retained, or whether users approve each capture.
`autoRecall` | `true` | Inject memories before each agent turn ... `autoCapture` | `true` | Store memories after each agent turn
Install only if you want persistent agent memory. Review or disable autoCapture/autoRecall when appropriate, use separate user IDs, inspect stored memories, and use memory deletion controls for sensitive or incorrect entries.
Using platform mode gives the plugin access to a Mem0 account and may send memory data to the Mem0 service.
Platform mode requires a Mem0 API key, which is expected for this integration. The artifacts do not show hardcoded credentials or credential leakage, but users should understand the account access involved.
`platform` | `apiKey` from app.mem0.ai | Internet, Mem0 API key
Store the API key in an environment variable or secret manager, use the least-privileged key available, and choose self-hosted mode if you do not want memory data handled by the platform service.
The reviewed skill text is not the plugin code itself, so the actual installed package may add behavior beyond what this instruction-only skill shows.
The skill directs users to install an external plugin that is not included in the reviewed artifacts. This is central to the stated purpose, but users are trusting upstream package contents and updates.
openclaw plugins install @mem0/openclaw-mem0
Install from a trusted registry/source, review the plugin package or repository when possible, and pin versions for repeatable deployments.
An agent could save incorrect information or delete useful memory entries if the tools are used carelessly.
The plugin exposes agent-callable tools that can add or delete memory entries. This is expected for a memory plugin, but it is mutation authority over persistent agent state.
`memory_store` | Explicitly save a fact ... `memory_forget` | Delete by ID or query
Monitor memory changes, require user confirmation for broad deletion where possible, and periodically review stored memories.