← 返回 Skills 市场
482
总下载
0
收藏
1
当前安装
3
版本数
在 OpenClaw 中安装
/install pgmemory
功能描述
Persistent semantic memory for OpenClaw agents — PostgreSQL + pgvector
安全使用建议
This skill appears to implement a coherent PostgreSQL+pgvector memory system, but take these precautions before installing/ running the setup wizard: 1) Inspect scripts/setup.py and confirm you are comfortable with it modifying AGENTS.md, writing a config to ~/.openclaw/pgmemory.json, and installing/configuring cron/docker. 2) Decide how to supply embedding API keys: the wizard can store a key in plain JSON under your home directory (CHANGELOG explicitly added this behavior) — consider using a local provider (Ollama) or an env var and restrict file permissions if you allow config storage. 3) Backup AGENTS.md and any agent workspaces before running --sync-agents or the automatic injection. 4) The requirements mention numpy but requirements.txt only lists psycopg2-binary; ensure you install necessary Python deps manually. 5) For least privilege, run the setup in a sandboxed environment (or test agent) first and review network calls (voyage/openai endpoints) if you must avoid sending embedding data externally. If you want, I can point out the exact lines in setup.py that modify AGENTS.md, create cron jobs, or persist the api_key so you can review/patch them.
功能分析
Type: OpenClaw Skill
Name: pgmemory
Version: 1.2.0
The skill is classified as suspicious primarily due to a significant Remote Code Execution (RCE) vulnerability in `scripts/setup.py`. The script uses `curl -fsSL https://get.docker.com | sh` to install Docker, which executes arbitrary code downloaded from the internet without prior validation, posing a supply chain risk if the source domain were compromised. Additionally, `scripts/setup.py` performs high-privilege system modifications (e.g., `sudo usermod`, `crontab` scheduling) and modifies `AGENTS.md` to inject instructions for the OpenClaw agent, which, while intended for legitimate skill integration, demonstrates the use of prompt injection as an attack surface.
能力评估
Purpose & Capability
Name/description (persistent semantic memory with PostgreSQL + pgvector) align with included code, SQL migrations, and scripts for write/query/setup. However the package advertises Python deps including numpy but requirements.txt contains only psycopg2-binary (minor mismatch). The skill also performs agent-workspace integration (scaffolding/injecting startup steps into AGENTS.md) which is plausible for a memory system but is a higher-impact capability than a simple library.
Instruction Scope
SKILL.md and the included setup script instruct the agent to modify user workspace files (AGENTS.md injection, 'This is not optional' wording in changelog), configure cron jobs for daily decay, scaffold per-agent namespaces, and optionally run Docker/DB provisioning. These are legitimate for a memory integration but they are broad file-system and workspace changes that go beyond passive library installation and should be approved by the user. The scripts also read/write ~/.openclaw/pgmemory.json and can store embedding API keys there.
Install Mechanism
No remote download/install spec is included (instruction-only plus bundled scripts). All code is present in the bundle and migrations/docs are local. This is lower-risk than remote installers. There is no suspicious external install URL. (Note: setup can install/configure Docker and create cron entries on the host when you run it — actions that require user consent.)
Credentials
Registry metadata declared no required env vars, but the scripts require an embedding provider API key (config supports storing api_key in ~/.openclaw/pgmemory.json or falling back to an env var name configured in the config). The CHANGELOG explicitly added storing API keys directly in the config. Storing secrets in a plaintext config file under the home directory is a security/privacy risk and should be considered proportional only if the user is comfortable with local storage of keys. The number of environment/credential access points is small and relevant to embeddings, but the registry omission of these expectations is inconsistent.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configs directly, but the setup wizard can modify agent workspace files (AGENTS.md), create cron jobs for decay, and save its own config (~/.openclaw/pgmemory.json). Those are normal for a persistent memory integration but are persistent effects with system-wide visibility across agent workspaces; users should review and approve these changes before running the wizard. The skill can be run non-interactively with --yes which increases risk if executed without review.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pgmemory - 安装完成后,直接呼叫该 Skill 的名称或使用
/pgmemory触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
API key now stored directly in pgmemory.json — no env var setup needed. Scripts resolve key from config first, env var second. Setup wizard prompts to paste key at install time. Startup commands no longer need VOYAGE_API_KEY= prefix.
v1.1.0
pgmemory is now the default memory system. Markdown files are written as automatic backup. Added --check flag for connectivity health check with 5s timeout and loud warning on failure. Setup injects startup steps into the Every Session list in AGENTS.md so agents use pgmemory automatically.
v1.0.0
Initial release — persistent semantic memory for OpenClaw agents.
元数据
常见问题
Pgmemory 是什么?
Persistent semantic memory for OpenClaw agents — PostgreSQL + pgvector. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 482 次。
如何安装 Pgmemory?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pgmemory」即可一键安装,无需额外配置。
Pgmemory 是免费的吗?
是的,Pgmemory 完全免费(开源免费),可自由下载、安装和使用。
Pgmemory 支持哪些平台?
Pgmemory 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pgmemory?
由 jbushman(@jbushman)开发并维护,当前版本 v1.2.0。
推荐 Skills