ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mem0 1.0.0

v1.0.0

Intelligent memory layer for Clawdbot using Mem0. Provides semantic search and automatic storage of user preferences, patterns, and context across conversati...

0· 387·3 current·3 all-time
by@sieyer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, and code consistently implement a local memory layer (uses mem0ai, local vector store, OpenAI embedder/LLM). However registry metadata claims no required environment variables while SKILL.md and scripts expect OPENAI_API_KEY. That metadata omission is an incoherence that affects whether the skill can run and what secrets it needs.
Instruction Scope
SKILL.md and the scripts limit activity to semantic search, add/list/delete operations, and local storage under ~/.mem0. The code does not attempt to read arbitrary system files or contact unexpected endpoints (it uses the mem0ai client which, per config, will call OpenAI). It documents what to store and not store. This is within the stated memory-purpose scope.
!
Install Mechanism
There is no install spec even though package.json, package-lock.json, and Node scripts are included. That means the skill either expects the environment to already have Node deps (mem0ai) installed or will fail. The package-lock references many transitive packages (normal for npm), but absence of an install instruction is a usability/security gap that could cause unexpected behavior.
!
Credentials
The skill actually reads process.env.OPENAI_API_KEY (and optionally JSON_OUTPUT) but the registry lists no required env vars. Requesting an OpenAI API key is proportionate to the stated purpose, but the omission from declared requirements is misleading. Also USER_ID is hardcoded to 'abhay' in config, which could cause cross-user data mixing unless overridden.
Persistence & Privilege
The skill persists data locally under ~/.mem0 and creates an SQLite history.db — that's expected for a memory store and does not modify other skills or system-wide settings. always is false. Note the fixed history path and default USER_ID which may lead to persistent data on disk and potential accidental sharing between contexts.
What to consider before installing
This skill appears to implement the memory functionality it claims, but there are important inconsistencies to resolve before installing: (1) It requires an OpenAI API key (OPENAI_API_KEY) even though the registry metadata declares no required env vars — supply and protect that key if you proceed. (2) The package includes Node scripts and package.json but provides no install instructions; you should run npm install (or otherwise ensure mem0ai and transitive deps are available) in a controlled environment or container. (3) The default USER_ID is hardcoded to 'abhay' and the skill writes data to ~/.mem0 — confirm you are comfortable with local persistent storage and change the default userId before use to avoid cross-user mixing. If you need higher assurance, ask the publisher for an explicit install spec and a corrected requirements list, review mem0ai's privacy/telemetry docs, and test the scripts in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk973p3nyefp246tdf0jcasv8v1824mjf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments