← Back to Skills Marketplace
Jasper Recall
by
MarjorieBroad
· GitHub ↗
· v1.0.0
· MIT-0
44
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install qui-jasper-recall
Description
Local retrieval-augmented generation system for AI agents to index, search, and recall private, shared, and learned memories using ChromaDB and SkillBoss emb...
Usage Guidance
Things to check before installing:
1) Source trust: The package includes many scripts that will write to your home (~/.openclaw, ~/.jasper-recall, ~/.local/bin) and modify OpenClaw config; only install if you trust the publisher or have reviewed all files (especially scripts/recall.py, scripts/sync-shared.py, and any code that makes network requests).
2) Embeddings / network: SKILL.md indicates embeddings route through SkillBoss API Hub and requires SKILLBOSS_API_KEY. That means text chunks may be sent off-host for embedding — if you will index private or sensitive content, confirm the embedding provider, data handling, and whether you want to expose that content.
3) OpenClaw changes: setup will attempt to add and enable a jasper-recall plugin in ~/.openclaw/openclaw.json (autoRecall:true). Back up openclaw.json before running setup and review the change — auto-enabling a plugin can change agent behavior.
4) Server exposure: the bundled server defaults to host=127.0.0.1 (safer) and public_only=true. Avoid starting it bound to 0.0.0.0 or enabling RECALL_ALLOW_PRIVATE unless you intentionally want remote/private access. CORS is set to '*', so if you bind to an external interface, web origins can query it.
5) Credentials mismatch: registry metadata shows no required env vars but SKILL.md lists SKILLBOSS_API_KEY. Ask the publisher to clarify whether a remote embedding API key is required and update registry metadata.
6) Mitigations: run inside a contained environment (dedicated user account or container), inspect/grep for network requests in the Python scripts, and test with non-sensitive example data first. If you need a fully offline option, confirm whether local sentence-transformers models are used instead of remote embeddings and how to force local-only operation.
Capability Analysis
Type: OpenClaw Skill
Name: qui-jasper-recall
Version: 1.0.0
The skill bundle implements a functional RAG system but contains critical security vulnerabilities and high-risk patterns. Specifically, 'cli/server.js' and 'extensions/openclaw-plugin/index.ts' use 'execSync' to execute shell commands with user-provided search queries; while there is basic escaping for double quotes, it is insufficient to prevent command injection via other shell metacharacters (e.g., backticks or subshells). Additionally, the system sends potentially sensitive agent memory to an external endpoint (api.heybossai.com) for embeddings. While the inclusion of 'scripts/privacy-check.py' suggests a lack of malicious intent regarding data leakage, the combination of RCE vulnerabilities and external data transmission makes this bundle high-risk for production environments.
Capability Tags
Capability Assessment
Purpose & Capability
The files and scripts implement a local RAG/memory system (ChromaDB, indexing, recall, a server, multi-agent mesh) which is coherent with the skill's name and description. However registry metadata lists no required env vars while the SKILL.md and code indicate an embedding service (SkillBoss API Hub) is used (SKILLBOSS_API_KEY). That mismatch is an inconsistency you should confirm with the publisher.
Instruction Scope
Runtime instructions and setup will create a Python venv, install chromadb and sentence-transformers, create ~/.local/bin scripts, write config under ~/.jasper-recall and ~/.openclaw, and copy SKILL.md into OpenClaw's skills dir. The recall server enables CORS '*' and can be bound to 0.0.0.0 (exposes endpoints externally if started that way). The SKILL.md and code indicate embeddings may be obtained via SkillBoss API Hub, which implies user data (indexed text or chunks) could be sent to that external service — confirm whether embeddings are remote and whether that matches your privacy expectations. The server defaults to public_only=true, and private access requires RECALL_ALLOW_PRIVATE=true; still, misconfiguration (running host 0.0.0.0 + CORS '*') can leak data.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package includes many scripts and a setup routine invoked via `npx jasper-recall setup` that will create a venv and run pip installs (chromadb, sentence-transformers). Using pip/venv and copying scripts into ~/.local/bin is standard for this type of tool, but it's an active install that writes files to your home and executes child processes — verify the source and review the Python scripts (which may perform network calls).
Credentials
SKILL.md lists requires.env: [SKILLBOSS_API_KEY] (used for SkillBoss API Hub embeddings) but the registry metadata provided earlier declared no required env vars — that's inconsistent. The code also relies on several RECALL_* env vars (RECALL_ALLOW_PRIVATE, RECALL_PORT, etc.) which are reasonable for configuration, but SKILLBOSS_API_KEY would permit remote embedding calls and is a high-sensitivity credential: confirm whether embeddings go to a third-party service and whether you are comfortable sending memory text there. The server only permits private queries when RECALL_ALLOW_PRIVATE=true; ensure that remains unset unless intended.
Persistence & Privilege
The setup modifies user files persistently: creates ~/.openclaw/chroma-db, ~/.openclaw/rag-env, ~/.local/bin scripts, and — if ~/.openclaw/openclaw.json exists — it will add/enable a 'jasper-recall' plugin entry with autoRecall:true. This is a persistent change to OpenClaw configuration and effectively enables the skill as a plugin by default. While not 'always:true' in the registry, the automatic enabling behavior and writing to config files is significant and should be reviewed before install. The server's CORS '*' plus optional binding to 0.0.0.0 increases exposure if misused.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qui-jasper-recall - After installation, invoke the skill by name or use
/qui-jasper-recall - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Jasper Recall v0.3.1 introduces major enhancements for multi-agent memory sharing and control:
- Added multi-agent mesh support (N agents can now share memory across a mesh)
- Introduced agent-specific collections for greater memory isolation and privacy
- New OpenClaw plugin with autoRecall capabilities
- Expanded CLI with new commands: recall-mesh and sync-shared
- Upgraded system architecture for more flexible, secure, and collaborative memory sharing between agents
Metadata
Frequently Asked Questions
What is Jasper Recall?
Local retrieval-augmented generation system for AI agents to index, search, and recall private, shared, and learned memories using ChromaDB and SkillBoss emb... It is an AI Agent Skill for Claude Code / OpenClaw, with 44 downloads so far.
How do I install Jasper Recall?
Run "/install qui-jasper-recall" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Jasper Recall free?
Yes, Jasper Recall is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Jasper Recall support?
Jasper Recall is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Jasper Recall?
It is built and maintained by MarjorieBroad (@marjoriebroad); the current version is v1.0.0.
More Skills