← Back to Skills Marketplace

Semantic Memory

Name: Semantic Memory
Author: jackxc2026

by Jackxc2026 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install semantic-memory

Description

OpenClaw Agent 中文长期记忆系统。jieba TF-IDF + 向量检索三轨混合，中文语义优先，支持多Agent记忆协同。触发词：向量数据库、记忆检索、长期记忆、语义搜索、vector search、memory retrieval

Usage Guidance

This skill implements the described memory/search functionality, but take these precautions before installing/running: 1) Do not run the ChromaDB server bound to 0.0.0.0 on a machine you don't trust or that is network-accessible; prefer localhost (127.0.0.1) or enable authentication/proxying. 2) Be careful with import_memory.py: if you pass a directory path, it will recursively read and upload .md files — avoid pointing it at system, home, or other sensitive directories. 3) The TF-IDF cache uses Python pickle; treat the cache directory as sensitive and ensure it's not writable by untrusted users/processes (an attacker-modified pickle could lead to code execution on load). 4) Review and, if needed, harden defaults in start_chroma.sh and README (host, port, API auth) before use. 5) Only run this skill and its scripts if you trust the source; if unsure, request the author to change defaults to bind to localhost and to use a safer cache format (e.g., JSON) or validate pickle integrity.

Capability Analysis

Type: OpenClaw Skill Name: semantic-memory Version: 1.0.0 The skill provides a legitimate Chinese-optimized memory system, but it contains significant security vulnerabilities. Specifically, `scripts/vector_search.py` uses the `pickle` module to load and save TF-IDF indices, which is a well-known vector for Remote Code Execution (RCE) if the cache directory is compromised. Additionally, `scripts/start_chroma.sh` configures the database to listen on all network interfaces (`0.0.0.0`) by default, increasing the network attack surface. While these appear to be unintentional design flaws rather than intentional malware, they represent high-risk behaviors.

Capability Assessment

✓ Purpose & Capability

Name/description (Chinese-focused hybrid TF-IDF + vector memory) match the included code: vector_search.py, import_memory.py and a ChromaDB start script implement exactly that behavior. The dependencies (chromadb, jieba) and local cache/TF-IDF index are consistent with the described purpose.

⚠ Instruction Scope

Runtime instructions tell users to run a ChromaDB HTTP server (defaults to --host 0.0.0.0) and to import files from a filesystem directory. import_memory.py can recursively read and upload any .md files from a specified path (user-supplied or default), which could cause accidental ingestion of sensitive local data if misused. The start script and README default to binding the DB to 0.0.0.0 (network-exposed) without providing an example of securing it; that broad network exposure is a security concern.

✓ Install Mechanism

No install spec (instruction-only) and included scripts are plain Python/bash files. Nothing is downloaded from unknown URLs or executed from remote sources during install. This limits supply-chain risk, though running the provided commands will write log/cache files to disk.

ℹ Credentials

The skill does not request secrets or credentials and uses a small set of environment variables (CHROMA_HOST/CHROMA_PORT/CHROMA_PATH/TFIDF_CACHE) which are reasonable for configuring a local DB. However, defaults (host=0.0.0.0, port=8000, path=./vector_db, cache dir ./tfidf_cache) are permissive and can expose data if not adjusted. No unexplained credentials or external endpoints are requested.

ℹ Persistence & Privilege

always is false and the skill does not attempt to modify other skills or global agent config. It will create local cache files and logs (TF-IDF pickle cache, chroma_server.log). A notable persistence risk: TF-IDF cache is serialized with Python pickle and later unpickled; if an attacker can overwrite the cache file, unpickling could execute arbitrary code.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install semantic-memory
After installation, invoke the skill by name or use /semantic-memory
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

v1.0.0: 中文语义优先三轨混合检索

Metadata

Slug semantic-memory

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Semantic Memory?

OpenClaw Agent 中文长期记忆系统。jieba TF-IDF + 向量检索三轨混合，中文语义优先，支持多Agent记忆协同。触发词：向量数据库、记忆检索、长期记忆、语义搜索、vector search、memory retrieval. It is an AI Agent Skill for Claude Code / OpenClaw, with 99 downloads so far.

How do I install Semantic Memory?

Run "/install semantic-memory" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Semantic Memory free?

Yes, Semantic Memory is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Semantic Memory support?

Semantic Memory is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Semantic Memory?

It is built and maintained by Jackxc2026 (@jackxc2026); the current version is v1.0.0.

More Skills