ClawHub

Neolata Memory Engine

v0.8.5

Graph-native memory engine for AI agents — hybrid vector+keyword search, biological decay, Zettelkasten linking, trust-gated conflict resolution, explainabil...

0· 593·1 current·1 all-time
byHEIS AGENCY@jeremiaheth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (graph-native memory engine) matches the SKILL.md and reference docs: methods, storage backends, embedding/LLM integration, and runtime helpers are all memory-related. Minor metadata inconsistencies exist: SKILL.md frontmatter lists version 0.8.4 while the registry shows 0.8.5, and registry metadata lists no homepage/source while SKILL.md points to a GitHub repo. These are administrative mismatches but do not change the stated purpose.
Instruction Scope
Instructions are focused on memory operations (store/search/context/decay/etc.). They explicitly document when data is sent off-host (embeddings, LLM extraction, Supabase storage, webhook writethrough) and provide safety guidance (SSRF guards, use memory mode, prefer anon keys + RLS). Runtime helpers (heartbeatStore, preCompactionDump) do instruct the host to extract key moments from conversation text — expected for a memory engine but worth noting since they cause the agent to collect conversation content.
Install Mechanism
No install spec is included in the skill bundle (instruction-only), so nothing is written/executed by the platform. The SKILL.md recommends an npm package (@jeremiaheth/neolata-mem) hosted on GitHub; installing that package is a user action outside this skill. The author recommends verifying the tarball and notes zero runtime deps, which is prudent. Because the skill does not itself download/run code, install risk is low, but installing the referenced npm package carries the usual supply-chain risk and should be audited.
Credentials
The registry lists no required env vars; SKILL.md documents optional envs (OPENAI_API_KEY, OPENCLAW_GATEWAY_TOKEN, NVIDIA_API_KEY, AZURE_API_KEY, SUPABASE_URL, SUPABASE_KEY) and states that only OPENAI_API_KEY and OPENCLAW_GATEWAY_TOKEN are read directly by code by default. These optional credentials align with the described features (embeddings, LLM gateway, Supabase). The presence of supabase keys and webhook URLs is an explicit exfiltration/privilege surface if configured — the docs themselves warn about preferring anon keys with RLS and not using service keys in clients.
Persistence & Privilege
always:false and no install scripts in this bundle. The skill does not request persistent platform privileges. It documents local JSON storage by default and an in-memory test mode; persistent or networked storage only occurs if you explicitly configure Supabase, embeddings, LLMs, or webhooks. Autonomous invocation is allowed by default (platform normal) but the skill does not request elevated or always-on privileges.
Assessment
This skill is instruction-only and describes a Node.js memory library; it appears coherent, but follow these steps before installing or enabling remote features: - Inspect the upstream package/repo before npm install: run `npm view ... scripts` / `npm view ... dependencies` and `npm pack --dry-run`, and review the repository source referenced in SKILL.md. The SKILL.md and registry metadata show small mismatches (version and homepage) — confirm you're installing the intended release. - Start in memory mode (`storage.type='memory'`) or local JSON to evaluate behavior before enabling persistence or networked backends. - Never supply a Supabase service key to a client agent; prefer anon/public keys with RLS as the docs recommend. - Treat webhookWritethrough and any configured remote embedding/LLM providers as explicit exfiltration surfaces — only point them at endpoints you control and trust. - If you depend on the OpenClaw gateway, provide OPENCLAW_GATEWAY_TOKEN securely; otherwise avoid configuring remote LLMs/embeddings. If you want higher assurance, request the exact npm tarball URL or a commit hash from the publisher so you (or an auditor) can verify the installed code matches the documentation.

Like a lobster shell, security has layers — review code before you run it.

conflict-resolutionvk978p0578bccp3eakcjaqgs47x81smjhdecayvk978p0578bccp3eakcjaqgs47x81smjhembeddingsvk978p0578bccp3eakcjaqgs47x81smjhgraphvk978p0578bccp3eakcjaqgs47x81smjhlatestvk9710df3pxmzabhphdf22rx6ss81xp2pmemoryvk978p0578bccp3eakcjaqgs47x81smjhzettelkastenvk978p0578bccp3eakcjaqgs47x81smjh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments