Q Memory (Local)

The package appears to be a local memory manager but contains multiple internal inconsistencies (claims of 'pure local / no background tasks' vs. many heartbeat/cron/heartbeat scripts and state files, plus hard-coded paths), so review source code and runtime behavior before installing or running it on important systems.

What to check before installing or running: - Audit for hidden network calls: grep the code for imports and uses of requests, urllib, socket, ftplib, smtplib, http, subprocess, os.system — confirm there are no calls sending data out. The code bundle provided appears to be mostly local, but the README/SECURITY.md mention GitHub URLs and older versions supported integrations. - Verify background/heartbeat behavior: search for files named heartbeat*, cron, scheduler, sleep, threading, asyncio, apscheduler. Although v1.8.5-local claims no background tasks, the repo still contains heartbeat/progress_reminder/agent_state scripts; confirm these are not launched automatically by your environment or a platform integration. - Inspect hard-coded paths: agent_memory_cli inserts '/root/.openclaw/workspace/skills/qst-memory' into sys.path. That should be replaced with relative imports; running as-is may import unexpected modules or fail on non-root setups. - Treat data as plaintext: RELEASE/SECURITY notes say encryption removed and data stored as plain text. Do not store secrets (passwords, API keys) in this memory DB; follow the SECURITY.md advice and use disk-level encryption or a version with crypto if you need to store secrets. - Run in a sandbox first: execute in an isolated container or VM and monitor network traffic and file writes. If you need to enable integrations later, prefer explicit configuration rather than enabling poorly-documented/hidden modules. - Ask the publisher to clarify: request a single authoritative source URL, confirm which version was packaged (v1.8.5-local vs. SKILL.md v1.8.2/v1.8.4 references), and have them remove or explain any leftover integration/heartbeat code if the intent is truly 'pure local'.