Memory Auto Archive

Automatically archives daily chat logs with keyword highlights and optional AI summaries into organized memory files without manual setup.

Key things to consider before installing: - Cross-platform claims vs Windows-specific code: index.js attempts to run powershell.exe and references a hard-coded Windows user path (C:\Users\42517...), and the referenced PowerShell scripts (archive.ps1/refine.ps1) are not included in the package. Ask the author which entrypoint is authoritative (index.js vs standalone-archive.js/src/) and whether the PowerShell scripts are intentionally omitted. - Sensitive-data capture: default keywords include 'password', 'token', 'secret' and the refine prompt explicitly instructs collecting 'data: important configs, passwords, tokens'. This plugin will write highlighted text to memory/*.md and possibly append to MEMORY.md. If your chats ever include secrets, they will be stored on disk and could be included in prompts. Disable refinement or remove secret-related keywords if you do not want secret capture. - AI refinement risk: refinement is disabled by default, but examples show enabling it with model identifiers. If you enable refinement and the code is later changed to call an external API, prompts could include sensitive info. Only enable AI refinement after confirming the callAI implementation and where the model runs (local vs external), and ensure proper credentials/permissions. - Sanity-check paths and startup behavior: the package has multiple entrypoints (index.js, standalone-archive.js, plugin.ts, src/index.ts). Confirm which one your OpenClaw installation will actually execute. The standalone-archive.js and src/archiver implement the expected cross-platform logic and may be safer; index.js is Windows-specific and seems out of sync. - If you plan to use it: review or test in a disposable workspace first (no real secrets), remove secret-related keywords, and verify that no external network calls are made (look for future callAI implementations). Ask the maintainer to remove hard-coded developer paths and either include or remove the PowerShell scripts so behavior is deterministic. Confidence notes: There are clear inconsistencies (Windows paths, missing scripts, secret-capturing defaults) that justify caution. I could raise confidence to high if the author confirms which entrypoint is intended and whether refine will ever send data to external services.

Type: OpenClaw Skill Name: memory-auto Version: 1.0.0 The skill bundle is classified as suspicious due to high-risk data handling and execution patterns. Specifically, 'index.js' contains a hardcoded developer path ('C:\Users\42517\...') and attempts to execute external PowerShell scripts ('archive.ps1', 'refine.ps1') with a 'Bypass' execution policy, but these scripts are missing from the bundle. Additionally, the default configuration in 'src/defaults.ts' and 'standalone-archive.js' explicitly targets and extracts sensitive strings like 'password', 'token', 'key', and 'secret' from chat transcripts into plaintext markdown files. While this behavior is consistent with the stated 'memory archiving' purpose, the centralization of secrets without encryption and the reliance on missing external scripts are significant red flags.