Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Mem0
v1.0.2Adds intelligent long-term memory to agents for auto-capturing, recalling, and managing user facts and preferences across sessions.
⭐ 4· 1.7k·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement a Mem0 memory plugin (platform and OSS modes) which matches the implied purpose. However the registry metadata declares no required environment variables or primary credential while the README/SKILL.md and plugin UI expect a Mem0 API key (MEM0_API_KEY) and host configuration. The package contains mem0ai and other dependencies in package.json/package-lock, but the skill metadata did not declare these needs. Missing top-level description/homepage in the registry is also a minor red flag.
Instruction Scope
SKILL.md instructs the agent to Auto‑Recall (search memories and inject results into the system prompt before each agent turn) and Auto‑Capture (analyze each turn and store key facts after each turn). Those behaviors are expected for a memory plugin but effectively allow automatic modification of system prompts and automatic exfiltration of conversational content to the configured memory backend. The SKILL.md does not instruct reading unrelated local files or other credentials, but the pre-scan flagged 'system-prompt-override' is expected here because the plugin intentionally injects memory into the system prompt.
Install Mechanism
No explicit install spec was provided in the registry (instruction-only), which is lower risk, but the bundle includes source files, package.json, and a package-lock with many dependencies (mem0ai, openclaw, etc.). If you install via the OpenClaw CLI/npm, these dependencies will be fetched from npm. The presence of substantial dependencies is plausible but should be audited (package-lock is large and pulls many transitive libs).
Credentials
The skill metadata lists no required env vars or primary credential, yet SKILL.md and plugin UI examples expect a Mem0 API key (and optionally MEM0_HOST) for platform mode. That mismatch is an inconsistency: the plugin will need credentials to send user memory to the Mem0 backend but the registry did not declare this. Requesting a single API key for the memory backend is proportional to the feature, but the missing declaration and no clear guidance about protecting sensitive info are concerning.
Persistence & Privilege
The plugin is not marked 'always: true' (good). It allows autonomous invocation (default) which is normal for plugins. However Auto‑Recall/Auto‑Capture grant it broad ability to read and inject context and to transmit conversation content to the configured backend — a powerful capability that can leak sensitive data if misconfigured or if the backend is untrusted. The plugin provides controls (customInstructions, toggles) but those rely on operator configuration.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md and plugin explicitly describe injecting retrieved memories into the system prompt before each agent turn. A regex flagged this as a potential system-prompt override; for a memory plugin this behavior is expected but is also the primary privacy/attack surface (it can influence model behavior and carry sensitive content).
What to consider before installing
This plugin implements Mem0 memory features and will send stored conversation data to whatever Mem0 host you configure. Before installing: 1) Confirm you intend to provide a Mem0 API key (platform mode) or run a trusted self-hosted Mem0 instance (open-source mode). The registry metadata not listing required env vars is inconsistent—treat the plugin as requiring a Mem0 key. 2) If you care about privacy, prefer self-hosted OSS mode or verify the mem0.ai service and the plugin package on npm/GitHub. 3) Disable Auto‑Capture or set strict customInstructions to avoid storing secrets (passwords, SSNs, API keys); test behavior in a sandboxed agent first. 4) Review the package.json/package-lock or the upstream repository to ensure dependencies are legitimate. 5) Because the plugin injects memories into the system prompt, only enable it for agents you trust. If you want higher assurance, ask the author for a canonical repository/linked release and an explanation for why required env vars are omitted from the registry metadata.Like a lobster shell, security has layers — review code before you run it.
latestvk978hggzbk251gn8e3w45vy29h810ckn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.