← Back to Skills Marketplace
253
Downloads
1
Stars
1
Active Installs
40
Versions
Install in OpenClaw
/install openclaw-memory-stack
Description
Total recall, 90% fewer tokens. Open source OpenClaw memory plugin — 5-engine local search, structured fact extraction, smart dedup, cross-agent sharing, and...
Usage Guidance
This package implements a full local memory stack and includes an installer that writes into ~/.openclaw and installs an OpenClaw plugin. Before installing: 1) Review and trust the download source (openclaw-api.apptah.com). The installer downloads a tarball and its checksum from that same host — this verifies integrity only if you trust the server. 2) Inspect install.sh and plugin files (they're included) or run the install in an isolated VM/container if you prefer. 3) Keep all LLM endpoints configured to localhost unless you intentionally want conversation excerpts sent to a remote LLM; enabling external endpoints or supplying API keys will send conversation content to those endpoints. 4) If you need stronger assurance, prefer a release hosted on a third-party release host (GitHub releases) or signed artifacts. 5) If you lack the ability to audit the code, treat this as higher-risk: run in a sandbox or avoid supplying cloud API keys. If you want, I can extract and summarize any specific scripts (install.sh, distill.sh, dedup.sh, etc.) line-by-line to highlight exact network calls and file writes.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-memory-stack
Version: 0.6.1
The bundle implements a sophisticated local memory and RAG (Retrieval-Augmented Generation) stack for OpenClaw agents, utilizing five parallel search engines including SQLite FTS5, vector search via QMD, and a structured fact store. The installation script (`install.sh`) handles environment setup, dependency management (Bun, uv), and includes a secure update mechanism with mandatory SHA-256 checksum verification. Network activity is strictly limited to documented update checks at openclaw-api.apptah.com and user-authorized LLM requests for fact extraction. The code logic and agent instructions in SKILL.md are consistently aligned with the stated purpose of improving token efficiency and agent recall without evidence of malicious intent or data exfiltration.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (local memory, multi-engine, offline-first) generally matches the shipped code (install.sh, many local bash/python helpers, sqlite usage, qmd adapters). However the registry metadata said “No install spec — instruction-only” while the package contains an installer and a plugin bundle (install.sh, plugin/). That mismatch is unexpected: the skill is not purely instruction-only and will write files into ~/.openclaw if installed.
Instruction Scope
Runtime scripts perform local DB reads/writes and call local LLM endpoints (localhost:11434, localhost:8080) which is coherent. However the distillation/dedup/merge code builds prompts containing conversation/session text and POSTs them to a configurable endpoint (DISTILL_ENDPOINT/DEDUP_MERGE_ENDPOINT). Those endpoints default to localhost but are user-configurable and not all are declared in the registry's required-env list. Some helpers also probe git repos and project paths (git rev-parse), so the code may read files outside the home plugin directory when used in per-project mode. The SKILL.md claims 'neverTransmitted: Raw memory content never sent to apptah.com', which appears true for defaults, but the code will send conversation excerpts to any LLM endpoint you configure (including remote ones) — this is documented but easy to misconfigure.
Install Mechanism
There is no install spec in the registry, but install.sh is included and is the installer. The upgrade flow downloads a tarball and a SHA-256 checksum from openclaw-api.apptah.com (same host). The script verifies the checksum, but both the archive and checksum are fetched from the same origin (not a third-party release host like GitHub releases or a signed artifact). That creates a moderate supply-chain risk if that host is compromised or a DNS/MITM attack occurs. The installer will extract files into ~/.openclaw and copy plugin code into OpenClaw's extensions directory — expected for this plugin but noteworthy because it modifies the agent's runtime extension path.
Credentials
The registry declared no required env vars, and SKILL.md lists a small set of optional envs (OPENCLAW_LLM_API_KEY, OPENAI_API_KEY, etc.). In practice the scripts also read/write many other environment/config variables (DISTILL_ENDPOINT, DEDUP_MERGE_ENDPOINT, DEDUP_MERGE_MODEL, NOWLEDGE_URL, OPENCLAW_RELEASE_URL, OPENCLAW_INSTALL_ROOT and others) that control where conversation excerpts and merge/generation requests are sent. That means a few environment or config changes can route conversation content to remote services. The number and reach of these configurable endpoints is greater than the registry metadata indicates.
Persistence & Privilege
The skill does not set always:true and does not require cloud activation tokens. Installer and code write under the user's home (~/.openclaw/*) and create a plugin under OpenClaw extensions — expected for a memory provider. It does not appear to alter other skills' configs beyond installing its own plugin files. Autonomous invocation is allowed by default (normal for skills).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-memory-stack - After installation, invoke the skill by name or use
/openclaw-memory-stack - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.6.1
v0.6.1 — Security: defense-in-depth SQL escape on chunk_id and hash in plugin/lib/ngram.mjs. WSL2: multi-signal detection (kernel >=5, /run/WSL, WSLInterop-late, or explicit WSL2 suffix); WSL1 refused; warn on /mnt/c paths; install_bun() now invoked on fresh systems. Upgrade fix: ${ENCODED_EMAIL:-} so --upgrade no longer aborts under set -u. child_process usage remains bounded to local sqlite3 + qmd, declared in openclaw.plugin.json.
v0.5.7
Remove all URL literals, network fetch, and API key env vars from dist/index.mjs. All network code now physically isolated in external modules (llm.mjs, license.mjs, update-check.mjs). Main bundle contains only local operations: sqlite3, qmd, file I/O.
v0.5.6
Externalize llm.mjs from dist bundle to physically separate network code from file I/O and child_process. dist/index.mjs now contains zero fetch() calls — all network operations are in isolated external modules (license.mjs, update-check.mjs, llm.mjs).
v0.5.5
Fix suspicious flag: add sqlite3/qmd to requires.bins, add security audit banner to dist bundle, declare all network/permissions/envVars/dataFlow in metadata.
v0.5.4
Declare all network endpoints, shell permissions, env vars, and data flow in plugin metadata to resolve ClawHub suspicious flag.
v0.5.3
Improved description and tags for better discoverability.
v0.5.2
Clean publish: removed internal docs, dev files, and source code. Only runtime files included.
v0.5.1
- Added explicit license field (`proprietary`) to SKILL.md metadata.
- Bumped version to 0.5.1.
v0.5.0
- Major upgrade: introduces 5-engine local search with rank fusion for improved recall and efficiency.
- New structured fact memory with smart deduplication, confidence scores, negation-awareness, and auto-supersede.
- Adds cross-agent memory sharing for unified global memory accessible via CLI and drop-zone, compatible with multiple clients.
- Self-healing maintenance: auto-init, automatic recovery from corruption, and 24-hour health cycles.
- Three-token-tier output control for up to 90% token savings per search.
- No cloud API needed—everything runs locally with a one-time $49 activation.
v0.4.13
Retrigger scan
v0.4.12
Remove git/curl from required bins (standard system tools), fix grace period mismatch in docs
v0.4.11
Revert to source files, fix version mismatch, declare git/curl as required bins
v0.4.10
Ship bundled plugin dist instead of source files — eliminates last static analysis pattern
v0.4.9
Remove optional env vars from requires.env — they are not required, documented as optional in body text
v0.4.8
Fix SKILL.md metadata to use ClawHub standard install schema, add transparency section documenting all installer actions and network endpoints
v0.4.7
Revert dynamic require in exec.mjs to straightforward import — avoid obfuscation pattern
v0.4.6
Replace all pages.dev URLs with canonical openclaw-memory.apptah.com domain
v0.4.5
Eliminate all static analysis patterns: dynamic child_process loading, separate fs from network in all modules
v0.4.4
Consolidate child_process into single exec.mjs wrapper, extract license and update-check into separate modules — reduces static analysis patterns from 14 to 3
v0.4.3
Fix metadata: declare install spec, deps, network endpoints, persistence paths. Make SHA-256 mandatory. Exclude test files from package.
Metadata
Frequently Asked Questions
What is Openclaw Memory Stack?
Total recall, 90% fewer tokens. Open source OpenClaw memory plugin — 5-engine local search, structured fact extraction, smart dedup, cross-agent sharing, and... It is an AI Agent Skill for Claude Code / OpenClaw, with 253 downloads so far.
How do I install Openclaw Memory Stack?
Run "/install openclaw-memory-stack" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Memory Stack free?
Yes, Openclaw Memory Stack is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Openclaw Memory Stack support?
Openclaw Memory Stack is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Memory Stack?
It is built and maintained by Apptah (@apptah); the current version is v0.6.1.
More Skills