ClawHub

SQ Memory

Enables OpenClaw agents to store, recall, update, list, and forget persistent hierarchical memories across sessions via the SQ protocol.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 795 · 0 current installs · 0 all-time installs
by@wbic16
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill implements persistent memory (remember/recall/forget/list) and the included code matches that purpose. However, the package metadata, SKILL.md, and examples contain inconsistent configuration keys (SKILL.md sometimes shows username/password; skill.json and code expect api_key/api_key or config.api_key) and the top-level registry metadata listed no required env vars while skill.json declares an api_key config. These mismatches are sloppy and could confuse users when configuring credentials.
!
Instruction Scope
Runtime instructions stay within the memory feature (store/recall/delete/list), but the implementation sends stored text as URL query parameters on GET requests (see index.js: update/select endpoints include the stored text encoded into the URL). That risks leakage to logs, proxies, or browser history. SKILL.md does not warn about this. Also the SKILL.md contains phrasing about adding items to an agent's system prompt and the pre-scan flagged a 'system-prompt-override' pattern — while the file's examples are normal, treat any instructions that encourage modifying system prompts with special caution.
Install Mechanism
No package install spec is present (instruction-only install via git or npx clawhub), and all code is bundled in the skill. There are no external arbitrary downloads in an install step. Manual install instructions are standard (git clone, npm install).
!
Credentials
The skill legitimately needs an SQ endpoint and (optionally) an API key. That is proportionate. However, documentation inconsistently references 'username'/'password' vs 'api_key', and the registry metadata at the top claimed 'Required env vars: none' despite the manifest declaring an api_key config (secret). These inconsistencies increase the risk users will misconfigure credentials or accidentally expose secrets.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. It registers normal tools (remember/recall/etc.) and does not modify other skills or agent configs. Autonomous invocation is allowed (default) but not combined with problematic privileges.
Scan Findings in Context
[system-prompt-override] unexpected: The SKILL.md contains examples that instruct adding memory behavior into the agent's system prompt and shows 'In your agent's system prompt or skill code:' which triggered the detector. The file itself appears to be example usage, not an explicit attempt to override the platform system prompt, but we flag it because prompts added to agent system prompts can escalate influence and should be reviewed before pasting into privileged system prompts.
What to consider before installing
What to consider before installing: - Verify configuration keys: the code and skill.json expect 'api_key' (secret) and 'endpoint' and 'namespace'. SKILL.md sometimes shows 'username'/'password' — confirm which credential your deployment requires before pasting secrets. - Do NOT store sensitive personal data in memory until you confirm transport security: the implementation encodes stored text into GET query parameters (index.js uses query string &s=...). Query-string writes can be logged by reverse proxies, web servers, or intermediaries. Prefer using an HTTPS endpoint and, if possible, modify the skill to POST data in the request body (or ask the maintainer to fix it) before storing sensitive info. - Prefer self-hosting for sensitive data: the project advertises a hosted service (mirrorborn.us). If you must store private user data, run your own SQ instance and point the skill at a localhost/HTTPS-protected endpoint. - Review and test on non-sensitive data: run the included test.js against a local SQ instance first to observe network traffic and behavior. - Inspect and/or patch the code: trivial changes would improve safety (use POST for updates, avoid including large text in URLs, normalize config key names). If you are not comfortable editing, ask the maintainer to address the GET/query-string issue and the documentation inconsistencies. - Be cautious about paste-into-system-prompt guidance: examples that suggest altering an agent's system prompt can increase the privilege of user-provided content — don't paste untrusted docs into privileged system prompts. If you want, I can point out the exact lines to change to stop sending text in URLs and to normalize config keys.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97b3wa5gzp69m37z8dbhkafh1811ba8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SQ Memory - OpenClaw Skill

Give your OpenClaw agents permanent memory.

Open Source & MIT Licensed

SQ is open-source software you can run yourself or use our hosted version.

  • Source Code: https://github.com/wbic16/SQ
  • License: MIT (free forever, modify/sell/distribute)
  • Self-Host: Free (5 minute setup)
  • Hosted Option: Paid convenience service at mirrorborn.us

What This Skill Does

OpenClaw agents lose all memory between sessions. Every restart = amnesia.

This skill connects your agent to SQ—persistent 11D text storage. Your agent can:

  • Remember user preferences across sessions
  • Store conversation history beyond context limits
  • Share memory with other agents
  • Never hallucinate forgotten details again

Installation

npx clawhub install sq-memory

Or manually:

git clone https://github.com/wbic16/openclaw-sq-skill.git ~/.openclaw/skills/sq-memory

Configuration

Add to your agent's .openclaw/config.yaml:

skills:
  sq-memory:
    enabled: true
    endpoint: http://localhost:1337
    username: your-username
    password: your-api-key
    namespace: agent-name  # Isolates this agent's memory

Usage

Your agent automatically gets new memory tools:

remember(key, value)

Store something for later:

remember("user/name", "Alice")
remember("user/preferences/theme", "dark")
remember("conversation/2026-02-11/summary", "Discussed phext storage...")

recall(key)

Retrieve stored memory:

const name = recall("user/name")  // "Alice"
const theme = recall("user/preferences/theme")  // "dark"

forget(key)

Delete memory:

forget("conversation/2026-02-11/summary")

list_memories(prefix)

List all memories under a coordinate:

const prefs = list_memories("user/preferences/")
// Returns: ["user/preferences/theme", "user/preferences/language", ...]

Coordinate Structure

Memories are stored at 11D coordinates. The skill uses this convention:

namespace.1.1 / category.subcategory.item / 1.1.1

Example:

  • Agent namespace: my-assistant
  • User preference for theme: my-assistant.1.1/user.preferences.theme/1.1.1

This means:

  • Each agent has isolated memory (namespace collision impossible)
  • Memories are hierarchically organized
  • You can share coordinates between agents if needed

Example: User Preference Agent

// In your agent's system prompt or skill code:

async function getUserTheme() {
  const theme = recall("user/preferences/theme")
  return theme || "light"  // Default to light if not set
}

async function setUserTheme(newTheme) {
  remember("user/preferences/theme", newTheme)
  return `Theme set to ${newTheme}`
}

// Agent conversation:
User: "I prefer dark mode"
Agent: *calls setUserTheme("dark")*
Agent: "Got it! I've set your theme to dark mode."

// Next session (days later):
User: "What's my preferred theme?"
Agent: *calls getUserTheme()*
Agent: "You prefer dark mode."

Example: Conversation History

// Store conversation summaries beyond context window:

async function summarizeAndStore(conversationId, summary) {
  const date = new Date().toISOString().split('T')[0]
  const key = `conversations/${date}/${conversationId}/summary`
  remember(key, summary)
}

async function recallConversation(conversationId) {
  const memories = list_memories(`conversations/`)
  return memories
    .filter(m => m.includes(conversationId))
    .map(key => recall(key))
}

// Usage:
summarizeAndStore("conv-123", "User asked about phext storage, explained 11D coordinates")

// Later:
const history = recallConversation("conv-123")
// Agent can recall what was discussed even after context window cleared

Advanced: Multi-Agent Coordination

Multiple agents can share memory at agreed coordinates:

Agent A (writes):

remember("shared/tasks/pending/task-42", "Review pull request #123")

Agent B (reads):

const task = recall("shared/tasks/pending/task-42")
// Sees: "Review pull request #123"

This enables true multi-agent workflows.

API Reference

All functions are available in the sq namespace:

sq.remember(coordinate, text)

  • coordinate: String in format a.b.c/d.e.f/g.h.i or shorthand category/item
  • text: String to store (max 1MB per coordinate)
  • Returns: {success: true, coordinate: "full.coordinate.path"}

sq.recall(coordinate)

  • coordinate: String (exact match)
  • Returns: String (stored text) or null if not found

sq.forget(coordinate)

  • coordinate: String (exact match)
  • Returns: {success: true} or {success: false, error: "..."}

sq.list_memories(prefix)

  • prefix: String (e.g., "user/" matches all user memories)
  • Returns: Array of coordinate strings

sq.update(coordinate, text)

  • Alias for remember() (overwrites existing)

Rate Limits

  • Free tier: 1,000 API calls/day, 100MB storage
  • SQ Cloud ($50/mo): 10,000 API calls/day, 1TB storage
  • Enterprise: Custom limits

Troubleshooting

"Connection refused" error:

  • Check your endpoint in config (should be https://sq.mirrorborn.us)
  • Verify credentials are correct

"Quota exceeded" error:

  • You've hit rate limits
  • Upgrade to SQ Cloud or wait for daily reset

Memory not persisting:

  • Check namespace isolation (each agent needs unique namespace)
  • Verify coordinate format is valid

Why SQ?

Open source & MIT licensed:

  • Run it yourself for free
  • Modify it to fit your needs
  • No vendor lock-in
  • Transparent codebase

Not a vector database:

  • Agents can read stored text (not just search embeddings)
  • Structured by coordinates (not similarity)
  • Deterministic retrieval (no relevance ranking guesses)

Not Redis:

  • Persistent (survives restarts)
  • 11D addressing (not flat key-value)
  • Immutable history (WAL for time-travel)

Built for agents:

  • Coordinate system matches agent thinking (hierarchical)
  • No schema overhead
  • Scales from KB to TB

Get SQ

Self-Host (Free):

  1. Clone: git clone https://github.com/wbic16/SQ.git
  2. Build: cd SQ && cargo build --release
  3. Run: ./target/release/sq 1337
  4. Configure SQ Memory to http://localhost:1337

Hosted (Convenience):

  1. Sign up: https://mirrorborn.us
  2. Get API key
  3. Configure SQ Memory to https://sq.mirrorborn.us
  4. Pay $50/mo (or use free tier)

Support

Built by Mirrorborn 🦋 for the OpenClaw ecosystem

Files

15 total
Select a file
Select a file to preview.

Comments

Loading comments…