ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Mem0

v1.0.2

Adds intelligent long-term memory to agents for auto-capturing, recalling, and managing user facts and preferences across sessions.

4· 1.9k·6 current·6 all-time
by@xray2016

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xray2016/openclaw-mem0.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Openclaw Mem0" (xray2016/openclaw-mem0) from ClawHub.
Skill page: https://clawhub.ai/xray2016/openclaw-mem0
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install xray2016/openclaw-mem0

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-mem0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md implement a Mem0 memory plugin (platform and OSS modes) which matches the implied purpose. However the registry metadata declares no required environment variables or primary credential while the README/SKILL.md and plugin UI expect a Mem0 API key (MEM0_API_KEY) and host configuration. The package contains mem0ai and other dependencies in package.json/package-lock, but the skill metadata did not declare these needs. Missing top-level description/homepage in the registry is also a minor red flag.
Instruction Scope
SKILL.md instructs the agent to Auto‑Recall (search memories and inject results into the system prompt before each agent turn) and Auto‑Capture (analyze each turn and store key facts after each turn). Those behaviors are expected for a memory plugin but effectively allow automatic modification of system prompts and automatic exfiltration of conversational content to the configured memory backend. The SKILL.md does not instruct reading unrelated local files or other credentials, but the pre-scan flagged 'system-prompt-override' is expected here because the plugin intentionally injects memory into the system prompt.
Install Mechanism
No explicit install spec was provided in the registry (instruction-only), which is lower risk, but the bundle includes source files, package.json, and a package-lock with many dependencies (mem0ai, openclaw, etc.). If you install via the OpenClaw CLI/npm, these dependencies will be fetched from npm. The presence of substantial dependencies is plausible but should be audited (package-lock is large and pulls many transitive libs).
!
Credentials
The skill metadata lists no required env vars or primary credential, yet SKILL.md and plugin UI examples expect a Mem0 API key (and optionally MEM0_HOST) for platform mode. That mismatch is an inconsistency: the plugin will need credentials to send user memory to the Mem0 backend but the registry did not declare this. Requesting a single API key for the memory backend is proportional to the feature, but the missing declaration and no clear guidance about protecting sensitive info are concerning.
Persistence & Privilege
The plugin is not marked 'always: true' (good). It allows autonomous invocation (default) which is normal for plugins. However Auto‑Recall/Auto‑Capture grant it broad ability to read and inject context and to transmit conversation content to the configured backend — a powerful capability that can leak sensitive data if misconfigured or if the backend is untrusted. The plugin provides controls (customInstructions, toggles) but those rely on operator configuration.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md and plugin explicitly describe injecting retrieved memories into the system prompt before each agent turn. A regex flagged this as a potential system-prompt override; for a memory plugin this behavior is expected but is also the primary privacy/attack surface (it can influence model behavior and carry sensitive content).
What to consider before installing
This plugin implements Mem0 memory features and will send stored conversation data to whatever Mem0 host you configure. Before installing: 1) Confirm you intend to provide a Mem0 API key (platform mode) or run a trusted self-hosted Mem0 instance (open-source mode). The registry metadata not listing required env vars is inconsistent—treat the plugin as requiring a Mem0 key. 2) If you care about privacy, prefer self-hosted OSS mode or verify the mem0.ai service and the plugin package on npm/GitHub. 3) Disable Auto‑Capture or set strict customInstructions to avoid storing secrets (passwords, SSNs, API keys); test behavior in a sandboxed agent first. 4) Review the package.json/package-lock or the upstream repository to ensure dependencies are legitimate. 5) Because the plugin injects memories into the system prompt, only enable it for agents you trust. If you want higher assurance, ask the author for a canonical repository/linked release and an explanation for why required env vars are omitted from the registry metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk978hggzbk251gn8e3w45vy29h810ckn
1.9kdownloads
4stars
3versions
Updated 17h ago
v1.0.2
MIT-0
@xray2016
latest
Download

OpenClaw Mem0 Plugin

Mem0 integration for OpenClaw. Adds intelligent long-term memory to your agents, allowing them to remember user preferences, facts, and past conversations automatically.

When to use

  • You want your agent to remember user details (name, job, preferences) across sessions
  • You need "infinite context" by retrieving relevant past interactions
  • You want to build a personalized assistant that learns over time
  • You need both cloud (managed) and self-hosted (local) memory options

Setup

Platform Mode (Recommended)

  1. Get a free API key at mem0.ai
  2. Add to your OpenClaw config:
{
  "plugins": {
    "entries": {
      "openclaw-mem0": {
        "enabled": true,
        "config": {
          "mode": "platform",
          "apiKey": "your-mem0-api-key",
          "userId": "default-user"
        }
      }
    }
  }
}

Open-Source Mode (Self-Hosted)

Connect to your own Mem0 instance (requires mem0ai package installed):

{
  "plugins": {
    "entries": {
      "openclaw-mem0": {
        "enabled": true,
        "config": {
          "mode": "open-source",
          "oss": {
            "vectorStore": {
              "provider": "chroma",
              "config": {
                "collectionName": "memories",
                "path": "./chroma_db"
              }
            }
          }
        }
      }
    }
  }
}

Usage

This plugin works automatically (Zero-Shot) but also provides manual tools.

Automatic Features

  • Auto-Recall: Before every agent turn, it searches memory for relevant context and injects it into the system prompt.
  • Auto-Capture: After every agent turn, it analyzes the conversation and stores key facts into memory.

Manual Tools

The agent can proactively call these tools:

ToolDescriptionParameters
memory_storeExplicitly save a facttext (string), longTerm (bool)
memory_searchSearch memoriesquery (string), scope ("session"|"long-term")
memory_getGet memory by IDmemoryId (string)
memory_listList all memoriesuserId (string)
memory_forgetDelete a memorymemoryId (string) or query (string)

Example

User: "I'm moving to Tokyo next month." Agent automatically captures this fact.

(Two weeks later) User: "What's a good restaurant for my farewell dinner?" Agent automatically recalls "User is moving to Tokyo" and suggests a restaurant in their current city.

Plugin structure

openclaw-mem0/
  package.json            # NPM package config (@xray2016/openclaw-mem0)
  index.ts                # Plugin implementation & tools
  lib/                    # Internal Mem0 client implementation
  SKILL.md                # This file
  README.md               # Detailed documentation

Author

Maintained by @xRay2016. Modified from the original Mem0 OpenClaw integration.

Comments

Loading comments...