📦 Chroma Memory — 语义记忆存储
v1.0.1基于 ChromaDB,为每轮客户对话提供自动标签与隔离的语义存储与检索,实现长期记忆与上下文复用。
0· 129·2 当前·2 累计
by 下载技能包
最后更新
2026/4/5
安全扫描
OpenClaw
可疑
high confidenceThe skill's description promises a ChromaDB-backed semantic vector memory, but the shipped code only performs local file I/O and lexical matching — the implementation and declared dependencies do not match the claimed purpose.
评估建议
The core issue is mismatch: the skill promises ChromaDB-backed semantic vector memory but the bundled code implements only local JSON storage and lexical ranking. Before installing, decide whether you want a local file-based memory (this code) or true ChromaDB/vector embeddings. If you accept local storage, confirm where files will be written (OPENCLAW_HOME or HOME), whether data-at-rest is encrypted, retention/cleanup policies, and whether phone numbers/PII are acceptable to store on disk. If y...详细分析 ▾
⚠ 用途与能力
SKILL.md and description claim ChromaDB integration and semantic (vector) retrieval; the provided chroma.mjs contains no network/DB calls, no use of chromadb or embeddings — it stores JSON files under ~/.openclaw/memory/chroma and uses simple lexical overlap + heuristics for search. The declared dependency on a 'chromadb' skill and the ChromaDB branding are therefore misleading.
⚠ 指令范围
Runtime instructions describe 'auto-called' hooks, tenant isolation via where filters, and semantic searches. The code is a standalone Node CLI that reads/writes local JSON files and does not implement semantic vector search or any hook integration. SKILL.md references HEARTBEAT triggers and OpenClaw Gateway behavior that are not visible in the code.
ℹ 安装机制
There is no install spec (instruction-only), which is low risk. However, the package includes a Node .mjs script but the skill metadata lists no required binaries; 'node' is effectively required to run chroma.mjs but isn't declared. Nothing in the install path downloads remote code or runs network installers.
ℹ 凭证需求
The skill declares no required secrets or env vars. The code reads OPENCLAW_HOME or HOME and optionally CRM_SNAPSHOT_DATA (used for snapshot piping) — these env vars are not documented in requires.env. None are sensitive credentials, but CRM_SNAPSHOT_DATA could contain bulk CRM data and is not flagged as a required/optional env var in the metadata.
ℹ 持久化与权限
always:false and normal invocation. The code writes persistent files into the user's HOME (or OPENCLAW_HOME) under a .openclaw/memory/chroma path and will create directories and many JSON files. It does not modify other skills or system-wide settings, but it does persist potentially sensitive conversation data on disk.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/2
chroma-memory 1.0.1 - Documentation updates only: SKILL.md reformatted, with no changes to commands, features, or usage. - No functional changes to the core skill logic.
● Pending
安装命令
点击复制官方npx clawhub@latest install chroma-memory
镜像加速npx clawhub@latest install chroma-memory --registry https://cn.longxiaskill.com