ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Memory Lite

Manage and query your agent's distilled long-term memory with lightweight, fast SQLite-powered tools and automated daily extraction.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 447 · 0 current installs · 0 all-time installs
byTimothySong@timothysong0w0
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (local SQLite long-term memory extraction + query) aligns with the bundled scripts: db_query.py, nightly_meta_extract.py, trust_scorer.py, friction_detector.py, regressions_guardrail.py implement database init, extraction heuristics, scoring and queries — these are coherent with the stated purpose. However, setup/packaging and runtime instructions claim an extract_memory tool is the main entrypoint, but scripts/extract_memory.py in the bundle is empty and setup.py registers scripts.extract_memory entry points: this is inconsistent with the claimed capability.
!
Instruction Scope
SKILL.md and README instruct adding extract_memory.py to HEARTBEAT/cron to auto-extract daily files and point to ~/.openclaw/.../scripts/extract_memory.py, but the provided extract_memory.py file is empty (0 bytes). Other scripts (nightly_meta_extract.py) implement extraction logic and touch workspace files, MEMORY.md, REGRESSIONS.md and /home/node/.openclaw/database/insight.db — behavior itself is within purpose, but instructions will execute a missing/empty script unless the user substitutes another script. There are also multiple slightly inconsistent path examples (/home/node/.openclaw/extensions/..., /home/node/.openclaw/workspace/scripts/..., ~/.openclaw/extensions/...) which could lead to accidental running of the wrong file or failure.
Install Mechanism
No install spec is provided in the registry (instruction-only), yet the package includes setup.py and console entry_points that expect scripts.extract_memory:main; this mismatch means the listed install artifacts (entry points) won't work if the package is installed as-is because the main extraction script is missing. There is no external download or network-based installer; risk from install mechanism is low but the packaging is inconsistent/unfinished.
Credentials
Registry metadata reports no required env vars or credentials, which broadly fits a local-only SQLite tool. The code does read optional environment overrides (CLAW_MEMORY_DB_PATH, CLAW_MEMORY_WORKSPACE) and the docs mention them — that's reasonable. No credentials or network endpoints are requested or hard-coded. Still, the skill will read and write files under user workspace and ~/.openclaw/database by default; users should be aware it will read memory/*.md, REGRESSIONS.md, and update MEMORY.md and a local SQLite DB.
Persistence & Privilege
The skill does not request unconditional installation (always:false) and does not declare elevated privileges. It writes its own database file under ~/.openclaw/database/insight.db and updates MEMORY.md — actions consistent with a memory extractor and not indicative of over-broad platform persistence. Autonomous invocation is enabled by default (normal for skills) but is not combined here with any surprising credential access.
What to consider before installing
What to consider before installing: - Missing main extractor: The repository's extract_memory.py is an empty file, yet SKILL.md and README instruct you to run it automatically. Running the installed entry point as-is will likely do nothing or raise errors. Ask the author to provide/restore the extraction script or confirm which script should be used (nightly_meta_extract.py appears to contain extraction logic). - Path inconsistencies: The docs reference multiple similar paths (~/.openclaw/extensions/..., /home/node/.openclaw/workspace/scripts/..., ~/.openclaw/workspace). Confirm where the scripts will actually be installed and which HEARTBEAT.md line you should use to avoid executing the wrong script or a different system script. - Test vs runtime mismatch: Tests and other scripts assume extraction logic exists and will read workspace files (memory/*.md, REGRESSIONS.md) and update MEMORY.md and an SQLite DB. These are local file operations only, but they will read potentially sensitive workspace files and write to ~/.openclaw/database/insight.db — review those directories and ensure you trust the code before letting it run automatically. - No network exfiltration observed: I found no network calls, embedded endpoints, or credential exfil patterns — the tool appears local-only. Still, because it reads/writes files automatically, run it in preview/review mode first (the scripts support a --review flag) and/or in a sandboxed environment to verify behavior. - Recommended actions before enabling automation: 1. Ask the author to provide the missing extract_memory.py or confirm that nightly_meta_extract.py should be used; ensure the entry points in setup.py are correct. 2. Run extraction in review/preview mode: copy a few sample memory files into a test workspace and run the script with --review to inspect what would be written to the DB. 3. Set CLAW_MEMORY_DB_PATH and CLAW_MEMORY_WORKSPACE to a test location (not your real workspace) to verify behavior safely. 4. Inspect REGRESSIONS.md and MEMORY.md prior to running to confirm expected parsing won't cause overwrites. 5. If you plan to enable automatic heartbeat execution, update HEARTBEAT.md to call the correct script path and ensure the script is the intended implementation. If the author supplies the missing extractor and fixes the path/packaging inconsistencies, the skill appears coherent and local-only; until then, treat it as incomplete and proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk977gn63fsa43qth0jxjdnshk582qevp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

claw-memory-lite Skill

Lightweight Long-Term Memory for OpenClaw — SQLite-Powered, Zero External Dependencies, Millisecond Queries.

This skill provides an automated way to manage your agent's long-term memory by extracting distilled insights from daily logs into a queryable SQLite database.

Installation

npx skills add timothysong0w0/claw-memory-lite --agent openclaw

Tools

db_query

Query the long-term memory database by keyword or category.

Usage: python scripts/db_query.py [SEARCH_TERM] [--category CATEGORY]

extract_memory

Extract memory snippets from daily log files (memory/YYYY-MM-DD.md) into the database.

Usage: python scripts/extract_memory.py [--review]

Automation

To enable automatic daily extraction, add the following to your HEARTBEAT.md:

python ~/.openclaw/extensions/claw-memory-lite/scripts/extract_memory.py

Configuration

The database is stored at ~/.openclaw/database/insight.db by default.

Credits

Inspired by 鸿蒙小张 and ByteDance's OpenViking hierarchy.

Built with 🐯 for OpenClaw users.

Files

16 total
Select a file
Select a file to preview.

Comments

Loading comments…