← Back to Skills Marketplace

SecondMind

Name: SecondMind
Author: emphaiser

by Emphaiser · GitHub ↗ · v1.4.0

cross-platform ⚠ suspicious

1172

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install secondmind

Description

Autonomous three-tier memory with proactive initiative, project tracking, and social intelligence. Ingests OpenClaw conversations, extracts knowledge + emoti...

Usage Guidance

SecondMind appears to do exactly what it claims: it reads your OpenClaw session JSONL files, stores local SQLite records, calls OpenRouter for LLM operations, and can notify via Telegram/Discord. Before installing, consider the following: - Review the code and config.json yourself (or in a sandbox) before running setup.js. The repository will create a local data directory (data/secondmind.db) and install cron/Task Scheduler jobs that run every 30 minutes / 6 hours / daily — check and approve those changes. - Keep your OpenRouter API key and Telegram bot token private. The skill asks you to add the OpenRouter key into config.json (or to provide it via an agent prompt); only provide the key if you trust the environment and accept potential API usage/billing. - The skill will capture session contents (including active sessions) during its flush/ingest flows; if you have sensitive conversation content, review what gets stored and where (data/). - Cron jobs and the standalone bot will generate periodic outbound network traffic (OpenRouter API + optional Telegram/Discord). Expect small, recurring API usage and costs; choose model settings carefully. - If you are uncomfortable with persistent background jobs, run the scripts manually for testing (node scripts/status.js, ingest.js, consolidate.js, initiative.js) instead of installing cron/schtasks. Minor metadata note: registry metadata said “no install spec” while SKILL.md includes an npm install step — that mismatch likely reflects metadata staleness but you should verify the install steps prior to running them.

Capability Analysis

Type: OpenClaw Skill Name: secondmind Version: 1.4.0 The skill is classified as suspicious due to significant shell injection vulnerabilities (RCE risk) present in the `SKILL.md` instructions. The AI agent is explicitly instructed to execute shell commands with user-provided arguments (e.g., `/accept <ID...> [comment]`, `/proposals [filter]`, `/smsearch <query>`). If the OpenClaw agent concatenates user input directly into these commands without proper sanitization, it could lead to arbitrary code execution. Additionally, `AGENT-SETUP.md` poses prompt injection risks by instructing the agent to handle sensitive configuration (API keys, paths) and execute setup scripts. While the core functionality and LLM prompts appear benign and include self-imposed safeguards against sensitive data, these vulnerabilities allow for potential exploitation by a malicious user.

Capability Assessment

✓ Purpose & Capability

The skill name/description (autonomous memory, proactive suggestions) lines up with the code and instructions: it ingests OpenClaw JSONL sessions, stores them in a local SQLite DB, runs consolidation/initiative jobs, uses an LLM provider (OpenRouter), and offers Telegram notifications and project tracking. Required binary is just node, which matches the Node.js implementation.

ℹ Instruction Scope

SKILL.md and AGENT-SETUP.md explicitly instruct running setup.js, creating cron/scheduler jobs, and running multiple scripts (ingest, consolidate, initiative, flush, etc.) that read session files and write to a local DB. This is within the stated scope. Two items to be aware of: (1) a CRITICAL pre-reset step instructs running flush.js to capture active session contents prior to resets (intended for data retention but will capture ephemeral session content), and (2) AGENT-SETUP.md instructs the agent to ask the user for their OpenRouter API key — users should be cautious about supplying secrets via an agent prompt.

ℹ Install Mechanism

The skill's install step runs npm install --production in the repo, which pulls dependencies declared in package.json (notably better-sqlite3, etc.). This is a standard package install from npm (no arbitrary URL downloads observed). better-sqlite3 is a native module and may require build tools. Registry metadata earlier said 'no install spec' while SKILL.md includes an install command — a minor metadata inconsistency but not a direct security indicator.

ℹ Credentials

The skill does not require OS credentials or unrelated secrets. It expects an OpenRouter API key (stored in config.json) and optionally Telegram bot token / Discord webhook for notifications — these are proportional to the stated functionality. One mismatch: registry/metadata lists no required env vars, yet setup and docs require an OpenRouter API key in config.json (not an env var). The agent-assisted setup suggests prompting the user to provide the OpenRouter key — treat that as sensitive and only provide it if you trust the skill/agent and understand billing implications.

ℹ Persistence & Privilege

The skill does not set always:true and does not alter other skills. However, setup.js installs persistent background jobs (crontab on Linux or scheduled tasks on Windows) that will run regularly and perform ingestion, consolidation, archival, and initiative tasks. This persistent scheduling is consistent with the skill purpose but is a meaningful level of system presence that the user should explicitly approve and review.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install secondmind
After installation, invoke the skill by name or use /secondmind
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.4.0

## SecondMind v1.4.0 – "Project Tracker" ### New Features - **Project Tracking**: `/accept` automatically creates tracked projects - `/projects` command to view active/completed projects - `/complete` marks projects as done – permanently excluded from future suggestions - Initiative engine checks project state before suggesting (no duplicates) - Project count in `/status` output ### Fixes - **Initiative dedup overhaul**: Blacklist now covers ALL rejected/dead/completed proposals (was 7 days) - **Hard blacklist safety net**: Fuzzy keyword matching blocks reformulated duplicates even when LLM ignores instructions - **Explicit blacklist section in LLM prompt** with examples and strict rules - `/drop` now archives related knowledge entries to longterm (source dries up, not just the proposal) ### Breaking Changes - None. Migration runs automatically on first start.

v1.3.0

v1.3.0 – "From Suggestion Bot to Buddy" - Three-tier autonomous memory (short → mid → long-term) - Proactive initiative engine with social intelligence - Semantic deduplication (Hash → FTS → LLM) - Bulk feedback + natural language commands - Archive retrieval in initiative pipeline - Gentle reminders + auto-throttle - Telegram integration with full command set - All models via OpenRouter (~$0.60-1.65/month) Made by AI, for AI. Created by Emphaiser.

Metadata

Slug secondmind

Version 1.4.0

License —

All-time Installs 1

Active Installs 1

Total Versions 2

Frequently Asked Questions

What is SecondMind?

Autonomous three-tier memory with proactive initiative, project tracking, and social intelligence. Ingests OpenClaw conversations, extracts knowledge + emoti... It is an AI Agent Skill for Claude Code / OpenClaw, with 1172 downloads so far.

How do I install SecondMind?

Run "/install secondmind" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is SecondMind free?

Yes, SecondMind is completely free (open-source). You can download, install and use it at no cost.

Which platforms does SecondMind support?

SecondMind is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created SecondMind?

It is built and maintained by Emphaiser (@emphaiser); the current version is v1.4.0.

More Skills