← 返回 Skills 市场
170
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-agent-memory-system
功能描述
Agent 记忆系统设计助手。构建长期记忆、短期记忆、情景记忆架构。触发词:记忆、memory、上下文管理、上下文窗口。
安全使用建议
This skill provides a coherent design and sample code for an agent memory system, but there are several red flags you should consider before using it:
- Missing credential declaration: The code calls the OpenAI embeddings endpoint using process.env.OPENAI_API_KEY, yet the skill metadata does not declare any required environment variables. If you supply an API key, the skill's instructions will send content (potentially sensitive) to OpenAI.
- Data persistence and exfiltration risk: The design persists arbitrary 'content' to a SQLite DB and a local Chroma vector store, and will send high-importance content to the external embeddings API. Review what you store and avoid putting secrets (passwords, tokens, PII) into memories.
- Insecure SQL: The sample code builds SQL with string interpolation (content LIKE '%${k}%'), which is vulnerable to SQL injection. If you implement this, use parameterized queries or proper sanitization.
- Missing dependency/runtime notes: The SKILL.md assumes a Node-like environment and libraries (SQLite client, Chroma client, fetch, crypto). The skill metadata doesn't list these — confirm the runtime and add explicit dependency/installation steps before implementation.
Recommendations: only use or implement this guidance if you (or a developer you trust) will:
1) Explicitly declare and protect the OPENAI_API_KEY and never store secrets in the memory store; 2) Replace string-interpolated SQL with parameterized queries; 3) Add clear dependency and install instructions; 4) Audit what data will be persisted and sent to external services; and 5) Verify the linked repository (skill.json references a GitHub repo) to inspect full source and history. If you cannot verify these items, treat the skill as potentially unsafe.
功能分析
Type: OpenClaw Skill
Name: openclaw-agent-memory-system
Version: 1.0.0
The skill bundle provides a template for an AI memory system that contains a critical SQL injection vulnerability in the `retrieve` method within `SKILL.md`. User-provided search queries are split into keywords and directly interpolated into a SQLite query string without sanitization. While the code accesses `process.env.OPENAI_API_KEY` to fetch embeddings from OpenAI, this behavior aligns with the stated purpose of the memory system and does not appear to be intentional data exfiltration.
能力标签
能力评估
Purpose & Capability
The name and description (agent memory design assistant) align with the provided implementation guidance: SQLite for long-term storage, a vector store (Chroma) for embeddings, short-term maps, and calls to an embeddings API. However, the SKILL.md contains concrete implementation code that implies runtime dependencies (Node runtime, SQLite bindings, Chroma client, crypto, fetch) and use of an OPENAI_API_KEY, none of which are declared in the skill metadata. This mismatch between declared requirements (none) and implied runtime needs is noteworthy.
Instruction Scope
The instructions include code that calls an external embeddings API (https://api.openai.com/v1/embeddings) using process.env.OPENAI_API_KEY, persists data to a SQLite DB and a local Chroma store, deletes vector entries, and constructs SQL queries by interpolating user-provided text (content LIKE '%${k}%') — which is vulnerable to SQL injection if executed as-is. The SKILL.md does not limit or sanitize what data gets stored; it instructs storing arbitrary 'content' and metadata, which could lead to sensitive data being persisted or sent to the external embedding endpoint.
Install Mechanism
This is an instruction-only skill with no install spec and no code files executed by the platform. That minimizes direct install risk. However, the guidance implies installing/using packages (SQLite client, Chroma client) if a developer implements it — those steps are not provided here.
Credentials
The implementation explicitly uses process.env.OPENAI_API_KEY but the skill declares no required environment variables. Requesting an API key would be proportionate for embeddings, but the omission in metadata is an inconsistency and a potential surprise to users. The skill would also require filesystem write access (SQLite DB and './chroma') — that access is not declared.
Persistence & Privilege
The skill is not always-enabled and is user-invocable, and does not request elevated platform privileges. The described behavior stores data to a local DB and vector store (its own data), but does not attempt to modify other skills or global settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-agent-memory-system - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-agent-memory-system触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Agent memory system initial release — supports multi-layered memory management for agents.
- Implements short-term, long-term, semantic, and procedural memory architecture with context management.
- Provides TypeScript core class for storing, retrieving, and consolidating agent memories using SQLite and vector search (Chroma).
- Includes routines for context window building, memory importance scoring, and automatic short→long-term compression & forgetting.
- Supports memory tagging, usage count, timestamp, and flexible storage for persistent agent learning.
- Chinese documentation and usage examples included.
元数据
常见问题
Agent Memory System 是什么?
Agent 记忆系统设计助手。构建长期记忆、短期记忆、情景记忆架构。触发词:记忆、memory、上下文管理、上下文窗口。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 170 次。
如何安装 Agent Memory System?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-agent-memory-system」即可一键安装,无需额外配置。
Agent Memory System 是免费的吗?
是的,Agent Memory System 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Agent Memory System 支持哪些平台?
Agent Memory System 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Agent Memory System?
由 SKY-lv(@sky-lv)开发并维护,当前版本 v1.0.0。
推荐 Skills