← 返回 Skills 市场
Smart Memory
作者
John DeVere Cooley
· GitHub ↗
· v1.0.0
391
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openjaw-smart-memory
功能描述
Zero-cost persistent memory that makes your bot smarter over time. Automatically extracts, stores, and retrieves key facts, preferences, and decisions from c...
安全使用建议
This skill is coherent with its stated purpose (local JSON memory) but has privacy and small-declaration issues you should consider before installing:
- Review the scripts before use. They run locally, but they expect 'jq' and other standard Unix tools; the registry metadata did not declare 'jq' as required. Install jq or confirm availability.
- Be cautious about storing secrets. The skill explicitly suggests storing API keys and server addresses drawn from conversations. If you enable this, treat the memory directory like sensitive storage: restrict filesystem permissions, consider encrypting the directory, or disable storing credentials.
- The stats/report command prints the first ~60 characters of memory values. That can leak secret fragments — remove or modify that output if you care about privacy.
- Soft-delete keeps items in archive for 30 days. If you need immediate, irreversible deletion for sensitive items, test 'purge' and confirm behavior meets your policy.
- Follow principle of least privilege: set OPENCLAW_MEMORY_DIR to a controlled location, verify file permissions, and run 'memory-manager.sh init' manually to inspect created files. Consider disabling automatic inference/storage until you have explicit consent rules implemented.
If you want a green light: have the author declare 'jq' as a required binary, remove value snippets from reports or mask them, add explicit opt-in for storing credentials, shorten retention for sensitive items or add encryption, and re-run a review.
功能分析
Type: OpenClaw Skill
Name: openjaw-smart-memory
Version: 1.0.0
The skill is classified as suspicious due to the explicit instruction in `SKILL.md` to the AI agent to store 'API keys (stored locally only)' in plain JSON files. While the `memory-manager.sh` script itself does not exfiltrate this data and uses `jq --arg` to prevent direct shell injection into its commands, storing sensitive credentials in an unencrypted local file is a significant security vulnerability. This creates a high-risk prompt injection surface, as a compromised agent or a malicious user prompt could later instruct the agent to retrieve and misuse these stored keys, even if the skill's author intended for local-only storage.
能力评估
Purpose & Capability
The skill's name/description (local persistent memory) matches the included scripts and instructions: everything reads/writes JSON under ~/.openclaw/smart-memory and uses shell/jq. However the metadata claims no required binaries while the scripts explicitly require 'jq' (and use standard tools like stat, du, bc). That undeclared dependency is an incoherence.
Instruction Scope
SKILL.md instructs the agent to automatically extract and store a wide range of information, including 'technical context: server addresses, API keys (stored locally only)'. That is within a memory feature but expands scope to storing highly sensitive secrets. Also the reporting script (memory-stats.sh) prints snippets of stored values (value[:60]) in its report, which contradicts the 'No sensitive data in logs' rule in the doc and can leak secret fragments to anyone who can run/view the report.
Install Mechanism
There is no download/install step — the skill is instruction + included local scripts. No external URLs or archive extraction are involved, so install risk is low. The scripts will run locally when invoked.
Credentials
The skill declares no required environment variables but the code honors OPENCLAW_MEMORY_DIR if set and requires 'jq' (not declared). More importantly, the skill encourages storing API keys and server addresses drawn from conversation — that increases the sensitive data footprint without requiring explicit credentials. Retention/archival (soft-delete with 30-day archive) and automatic daily maintenance increase the time sensitive data is kept.
Persistence & Privilege
always:false (good). The SKILL.md defines a daily heartbeat/maintenance action; combined with the normal autonomous invocation this means the agent can run maintenance and access local memories automatically. This is not unusual, but it increases the blast radius when combined with the ability to store secrets.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openjaw-smart-memory - 安装完成后,直接呼叫该 Skill 的名称或使用
/openjaw-smart-memory触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Smart Memory 是什么?
Zero-cost persistent memory that makes your bot smarter over time. Automatically extracts, stores, and retrieves key facts, preferences, and decisions from c... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 391 次。
如何安装 Smart Memory?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openjaw-smart-memory」即可一键安装,无需额外配置。
Smart Memory 是免费的吗?
是的,Smart Memory 完全免费(开源免费),可自由下载、安装和使用。
Smart Memory 支持哪些平台?
Smart Memory 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Smart Memory?
由 John DeVere Cooley(@jcools1977)开发并维护,当前版本 v1.0.0。
推荐 Skills