Memos
v0.1.9Create, read, update, and delete memos on a Memos instance (usememos/memos). Handles requests like "save this as a memo", "list my recent memos", "update mem...
⭐ 0· 789·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Memos CRUD) match the instructions: the skill delegates operations to five MCP tools (memos_create, memos_list, memos_get, memos_update, memos_delete). These are reasonable and proportional to the stated purpose.
Instruction Scope
The SKILL.md stays within the stated purpose (how to create/list/get/update/delete memos). It explicitly instructs users to configure an MCP server entry that provides MEMOS_API_URL and MEMOS_TOKEN. It does not request access to unrelated files or secrets, but it does assume the agent can invoke MCP tools — a runtime capability that requires setup.
Install Mechanism
There is no install spec in the registry (instruction-only). The SKILL.md suggests configuring the MCP to run via the 'npx openclaw-memos-mcp' command. That implies code will be pulled via npm at runtime when the MCP is launched, which is normal but introduces supply-chain considerations (the SKILL.md does not pin a package version or provide a vetted release URL).
Credentials
The SKILL.md requires MEMOS_API_URL and MEMOS_TOKEN to function, but the skill metadata lists no required environment variables and no primary credential. This is an inconsistency: the skill will need an access token (sensitive credential) but the registry metadata doesn't declare it. Requesting an instance URL and a token is proportional to the purpose, but the missing declaration reduces transparency and could lead users to overlook the credential scope or origin.
Persistence & Privilege
The skill is not always-included (always: false) and does not request elevated system persistence. It doesn't instruct modification of other skills or global agent configuration beyond adding an MCP server entry for itself. Autonomous invocation is allowed but is the platform default and not, by itself, a red flag here.
What to consider before installing
This skill appears to do what it says (manage memos) but there are a few things to check before installing:
- The SKILL.md requires a MEMOS_API_URL and MEMOS_TOKEN but the registry metadata doesn't declare any required env vars or a primary credential. Treat the access token as sensitive: only provide a token you control and understand its permissions.
- The MCP entry uses 'npx openclaw-memos-mcp', which will pull code from npm at runtime. Verify the openclaw-memos-mcp package (author, version, and repository) before running it, and prefer pinned versions if possible.
- There is no homepage or source listed for this skill. If you rely on this skill, ask the publisher for the upstream source (repo or package) and for a package version to audit.
- Limit network exposure: ensure MEMOS_API_URL points to your intended Memos instance, and avoid using a token with broader privileges than necessary.
If the publisher can update the registry metadata to declare MEMOS_TOKEN as the primaryEnv and list the required env vars (MEMOS_API_URL, MEMOS_TOKEN) and provide a source/homepage, the risk and ambiguity would be reduced.Like a lobster shell, security has layers — review code before you run it.
latestvk970gp7v8rnz2x2cyw443jzajh81rpgj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.