Supermemory
v1.0.0Store and retrieve memories using the SuperMemory API. Add content, search memories, and chat with your knowledge base.
⭐ 17· 7.1k·55 current·60 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The scripts call api.supermemory.ai endpoints to add documents and search — this matches the skill's description. However the registry metadata provided with the skill claims no required environment variables or primary credential, while SKILL.md and the scripts clearly expect SUPERMEMORY_API_KEY. That mismatch is an incoherence in the package metadata.
Instruction Scope
SKILL.md instructs the agent to run the included shell scripts which only interact with the SuperMemory API. The instructions do suggest storing arbitrary content (including examples that store API keys) in the memory store — that is within the feature set but is a security/privacy concern for sensitive data. The SKILL.md references an absolute installation path (/root/clawd/skills/...) which assumes a specific runtime layout.
Install Mechanism
This is an instruction-only skill with bundled scripts (no install spec). No remote downloads or obscure install sources are used. Risk from installation is low, but bundled scripts will be written to disk when the skill is installed.
Credentials
Functionally the skill needs exactly one credential (SUPERMEMORY_API_KEY) which is reasonable. However the registry metadata lists no required env vars while SKILL.md metadata and all scripts require SUPERMEMORY_API_KEY — this is a meaningful mismatch. Additionally, the scripts rely on curl and python3 but the skill does not declare required binaries. SKILL.md contains a concrete-looking example API key; if that key is valid it would be a leak.
Persistence & Privilege
The skill does not request 'always: true', doesn't modify other skills, and doesn't require elevated system privileges. Autonomous invocation is allowed (platform default) but not combined with other high privileges.
What to consider before installing
Key issues to consider before installing: 1) The package metadata does not declare the SUPERMEMORY_API_KEY env var even though the scripts and SKILL.md require it — this suggests sloppy packaging or missing declarations. Confirm with the maintainer why metadata and SKILL.md differ. 2) SKILL.md includes a concrete example API key — do not reuse it. Treat it as a placeholder; if it was real it would be leaked and you should rotate any exposed key. 3) The scripts require curl and python3 but these binaries are not declared; ensure they exist in your environment. 4) The skill sends any content you provide to https://api.supermemory.ai; if you plan to store sensitive data (passwords, private keys, tokens), avoid doing so unless you trust the service and understand its retention/privacy policies. 5) Test with non-sensitive data first and restrict the API key scope (least privilege). 6) Because the source/homepage is missing and the owner is unknown, prefer to install only after verifying provenance (ask the publisher for source repo or homepage). If you proceed and suspect the included example key was real, rotate your keys immediately.Like a lobster shell, security has layers — review code before you run it.
latestvk973zs4h93sx6wfcmr0drh0ax98024j2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.