OpenClaw Progressive Memory
v2.0.4Layered BM25-based memory system for OpenClaw with 99% token savings, integrating official Dreaming/Active Memory, graph traversal, and cron automation.
⭐ 0· 87·0 current·0 all-time
by@vinwjin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (layered BM25 memory, Dreaming/Active Memory integration, cron automation) matches the included files: BM25 index/search, manifest builders, layered loader, graph traversal and extractors, overview generator, and session/heartbeat hooks. All code operates on the declared official memory location (~/.openclaw/workspace/memory), which is appropriate for this purpose.
Instruction Scope
SKILL.md and the scripts are focused on indexing, searching, generating overviews, graph extraction and hooking into session/cron events. However several scripts perform write operations against the official memory files (e.g., build_manifest.py writes index/manifest.jsonl; graph/extract_edges.py writes graph/edges.jsonl; graph/migrate_nodes.py renames/writes graph/nodes.jsonl). These actions are consistent with 'integration' but are destructive if misused — the skill also claims to write to .dreams/events.jsonl and provide cron-triggered behavior via session_end_hook.py, so review hooks before enabling automatic runs.
Install Mechanism
No install spec is embedded (instruction-only). SKILL.md suggests an npx clawhub install command, but the skill bundle contains the full Python sources. There is no remote-download or obscure installer in the bundle itself. The lack of an automated install lowers installer-surface risk, but running npx will fetch code externally — inspect prior to running.
Credentials
The skill requests no environment variables, binaries, or external credentials. All file access is to the user's OpenClaw workspace under the home directory, which is proportional to a memory-management skill.
Persistence & Privilege
always:false and model invocation allowed (defaults). The skill contains session_end_hook.py and heartbeat/cron mentions for automated processing; enabling those hooks will make the skill act periodically or on session end and will write to the official memory locations. This is expected for this integration but increases blast radius—only enable automatic hooks if you trust the code and have backups.
Assessment
This skill appears to do what it claims (a three-layer BM25 memory integrated with OpenClaw), but it will read and modify files in ~/.openclaw/workspace/memory (manifest.jsonl, nodes.jsonl, edges.jsonl, events/, raw/, etc.). Before installing or enabling hooks: 1) Inspect session_end_hook.py and any cron/heartbeat wiring to confirm no unexpected external endpoints or telemetry; 2) Make a full backup of ~/.openclaw/workspace/memory (the code renames/writes files and may change formats); 3) Review and test the scripts in a sandbox copy of your memory directory to verify redaction and behavior—the generate_overviews redaction is heuristic and can miss secrets; 4) Prefer manual runs at first rather than enabling automatic session/cron hooks; and 5) If you plan to run the suggested 'npx clawhub install' command, inspect the fetched package first (npx will fetch remote code). If you want, I can highlight specific lines/functions to review (e.g., migrate_nodes.py, build_manifest.py, session_end_hook.py) or produce a short checklist to safely enable this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97fe8g5waazr2r8mbvh59wtm184nck8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.