← Back to Skills Marketplace
415
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install memvault
Description
Production-ready long-term memory server for AI agents with Ebbinghaus decay and strength-weighted retrieval. Use when you need persistent memory across agen...
Usage Guidance
This package is functionally consistent with a self‑hosted long‑term memory server, but take caution before running the installer. Review scripts/install.sh and avoid blindly running curl | sh from the network; consider installing Ollama manually or configuring MEMVAULT_LLM_BASE_URL to a known local endpoint. Update the default DB password (postgres/postgres) and confirm where MEMVAULT_LLM_BASE_URL points — if you set it to a cloud LLM (OpenAI/Groq), your stored memories will be transmitted to that provider. If you must test, run inside an isolated environment (VM/container) and inspect docker-compose and Dockerfile builds so you can audit downloaded models and packages. If you want lower risk, you can skip the auto‑installer and manually start the docker-compose build after reviewing files.
Capability Analysis
Type: OpenClaw Skill
Name: memvault
Version: 1.0.3
The skill is classified as suspicious due to multiple vulnerabilities. The `scripts/install.sh` uses `curl -fsSL https://ollama.com/install.sh | sh` for Ollama installation, which is a supply chain risk as it executes unreviewed remote code. More critically, `scripts/memvault.sh` is vulnerable to shell injection, as the `user_id` parameter in `decay` and `stats` commands is directly interpolated into `curl` URLs without proper shell escaping, potentially allowing arbitrary command execution. Additionally, `memvault_server.py` has a potential LLM prompt injection vulnerability in its translation function, where LLM-generated summaries could theoretically manipulate a local LLM.
Capability Assessment
Purpose & Capability
The code, Dockerfile, docker-compose, and CLI match the stated purpose (a long‑term memory server with embeddings, decay, and retrieval). However the registry metadata says 'required env vars: none' while the code and docker-compose rely on many environment variables (DB DSN, LLM base URL, API key, embedding URL, etc.). That mismatch is unexpected but plausibly an omission rather than outright malice.
Instruction Scope
SKILL.md instructs you to run the included install script and then call local endpoints and cron jobs. The runtime instructions themselves are scoped to installing and operating the service (memorize, retrieve, decay). They do not instruct arbitrary file system reads. Caveat: troubleshooting text references an OpenClaw workspace path which may not exist in all installs (minor inconsistency).
Install Mechanism
The provided scripts/install.sh will attempt to auto-install Ollama on Linux by executing a remote script via curl -fsSL https://ollama.com/install.sh | sh — this is a high‑risk pattern (running a remote installer without review). The installer also starts background processes (ollama serve) and runs docker compose up --build which will download images, pip packages, and pre-download embedding models during the Docker build. These are expected for this project but are higher risk than an instruction-only skill; review the installer and the remote install script before running.
Credentials
Although the registry metadata declared no required environment variables, the code and docker-compose rely on many env vars (MEMVAULT_DB_DSN, MEMVAULT_LLM_BASE_URL, MEMVAULT_LLM_API_KEY, MEMVAULT_EMBEDDING_URL, etc.). Defaults include cleartext DB credentials (postgres/postgres) in the compose file and the installer creates a .env. If you point MEMVAULT_LLM_BASE_URL to a public/cloud LLM (OpenAI, etc.), memories and potentially sensitive content will be sent to that provider. The skill may therefore handle secrets/PII; you should explicitly set appropriate credentials and endpoints and avoid using public LLMs if you want to keep data local.
Persistence & Privilege
The skill does not request permanent platform presence (always:false). Installer creates a CLI symlink in ~/.local/bin and writes a .env in the skill directory and uses a Docker volume for DB persistence; these are normal for a self‑hosted service and do not modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install memvault - After installation, invoke the skill by name or use
/memvault - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
Fix: rename extensionless files (Dockerfile.txt, memvault.sh, env.example.txt) for clawhub packaging
v1.0.2
Fix: include Dockerfile, CLI, env.example (renamed from .env.example for clawhub compat)
v1.0.1
Fix: re-publish for registry indexing
v1.0.0
Initial release: Ebbinghaus decay, strength-weighted retrieval, Docker one-command setup, multi-agent tracking, CLI tool
Metadata
Frequently Asked Questions
What is MemVault?
Production-ready long-term memory server for AI agents with Ebbinghaus decay and strength-weighted retrieval. Use when you need persistent memory across agen... It is an AI Agent Skill for Claude Code / OpenClaw, with 415 downloads so far.
How do I install MemVault?
Run "/install memvault" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MemVault free?
Yes, MemVault is completely free (open-source). You can download, install and use it at no cost.
Which platforms does MemVault support?
MemVault is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created MemVault?
It is built and maintained by wjy9902 (@wjy9902); the current version is v1.0.3.
More Skills