by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
Before installing, be aware this skill expects you to run Node scripts and to provide an OPENAI_API_KEY (even though the registry metadata omits them). It will create a local DB under ~/.mem0 and send text to OpenAI for embeddings and extraction. Recommended steps: (1) only install if you are willing to provide an OpenAI key and allow local persistent storage; (2) run the package in an isolated environment and npm install the dependencies yourself (review package-lock); (3) consider creating an ...详细分析 ▾
⚠ 用途与能力
The skill's name/description match the code: it implements a mem0 memory layer. However the registry metadata claims no required env vars and no required binaries, while the scripts and SKILL.md clearly require Node.js and an OPENAI_API_KEY. That mismatch is unexplained and disproportionate to the documented purpose (the skill legitimately needs the OpenAI key and node runtime but failed to declare them).
ℹ 指令范围
SKILL.md instructions stay on-topic (search before responding, add/list/delete memories). They instruct running the included Node scripts which call mem0 APIs and use the OPENAI_API_KEY for embeddings and extraction. Instructions also instruct storing a SQLite DB under ~/.mem0/history.db; that's within scope for a memory layer but is a persistence and privacy consideration. There are no obvious instructions to read unrelated system files or exfiltrate data to unexpected endpoints.
⚠ 安装机制
This is marked as an instruction-only skill (no install spec), yet the package.json/package-lock and scripts indicate Node code with an npm dependency (mem0ai). The skill does not declare that Node or npm must be available, nor does it provide an install step for dependencies. That makes the runtime behavior unclear and could surprise users (scripts will fail or behave inconsistently if dependencies are not installed).
⚠ 凭证需求
The code and SKILL.md explicitly require OPENAI_API_KEY (and optionally JSON_OUTPUT env var) but the registry metadata lists no required environment variables or primary credential. Requesting an OpenAI API key is reasonable for this function, but it must be declared. The scripts also default to a hardcoded USER_ID 'abhay', which is an odd/poorly generalized default and may expose or entrench a specific identity in a shared environment.
ℹ 持久化与权限
The skill writes persistent files to the user's home directory (~/.mem0/history.db) and uses a local vector store. That persistence is expected for a memory layer. always is false and the skill does not request system-wide config changes or other skills' credentials. Still, persistent local storage and autonomous model invocation (allowed by platform defaults) mean the skill can repeatedly access and store user data during use.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/28
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install mem0
镜像加速npx clawhub@latest install mem0 --registry https://cn.longxiaskill.com