← 返回 Skills 市场
Jasper Recall
作者
MarjorieBroad
· GitHub ↗
· v1.0.0
· MIT-0
44
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install qui-jasper-recall
功能描述
Local retrieval-augmented generation system for AI agents to index, search, and recall private, shared, and learned memories using ChromaDB and SkillBoss emb...
安全使用建议
Things to check before installing:
1) Source trust: The package includes many scripts that will write to your home (~/.openclaw, ~/.jasper-recall, ~/.local/bin) and modify OpenClaw config; only install if you trust the publisher or have reviewed all files (especially scripts/recall.py, scripts/sync-shared.py, and any code that makes network requests).
2) Embeddings / network: SKILL.md indicates embeddings route through SkillBoss API Hub and requires SKILLBOSS_API_KEY. That means text chunks may be sent off-host for embedding — if you will index private or sensitive content, confirm the embedding provider, data handling, and whether you want to expose that content.
3) OpenClaw changes: setup will attempt to add and enable a jasper-recall plugin in ~/.openclaw/openclaw.json (autoRecall:true). Back up openclaw.json before running setup and review the change — auto-enabling a plugin can change agent behavior.
4) Server exposure: the bundled server defaults to host=127.0.0.1 (safer) and public_only=true. Avoid starting it bound to 0.0.0.0 or enabling RECALL_ALLOW_PRIVATE unless you intentionally want remote/private access. CORS is set to '*', so if you bind to an external interface, web origins can query it.
5) Credentials mismatch: registry metadata shows no required env vars but SKILL.md lists SKILLBOSS_API_KEY. Ask the publisher to clarify whether a remote embedding API key is required and update registry metadata.
6) Mitigations: run inside a contained environment (dedicated user account or container), inspect/grep for network requests in the Python scripts, and test with non-sensitive example data first. If you need a fully offline option, confirm whether local sentence-transformers models are used instead of remote embeddings and how to force local-only operation.
功能分析
Type: OpenClaw Skill
Name: qui-jasper-recall
Version: 1.0.0
The skill bundle implements a functional RAG system but contains critical security vulnerabilities and high-risk patterns. Specifically, 'cli/server.js' and 'extensions/openclaw-plugin/index.ts' use 'execSync' to execute shell commands with user-provided search queries; while there is basic escaping for double quotes, it is insufficient to prevent command injection via other shell metacharacters (e.g., backticks or subshells). Additionally, the system sends potentially sensitive agent memory to an external endpoint (api.heybossai.com) for embeddings. While the inclusion of 'scripts/privacy-check.py' suggests a lack of malicious intent regarding data leakage, the combination of RCE vulnerabilities and external data transmission makes this bundle high-risk for production environments.
能力标签
能力评估
Purpose & Capability
The files and scripts implement a local RAG/memory system (ChromaDB, indexing, recall, a server, multi-agent mesh) which is coherent with the skill's name and description. However registry metadata lists no required env vars while the SKILL.md and code indicate an embedding service (SkillBoss API Hub) is used (SKILLBOSS_API_KEY). That mismatch is an inconsistency you should confirm with the publisher.
Instruction Scope
Runtime instructions and setup will create a Python venv, install chromadb and sentence-transformers, create ~/.local/bin scripts, write config under ~/.jasper-recall and ~/.openclaw, and copy SKILL.md into OpenClaw's skills dir. The recall server enables CORS '*' and can be bound to 0.0.0.0 (exposes endpoints externally if started that way). The SKILL.md and code indicate embeddings may be obtained via SkillBoss API Hub, which implies user data (indexed text or chunks) could be sent to that external service — confirm whether embeddings are remote and whether that matches your privacy expectations. The server defaults to public_only=true, and private access requires RECALL_ALLOW_PRIVATE=true; still, misconfiguration (running host 0.0.0.0 + CORS '*') can leak data.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package includes many scripts and a setup routine invoked via `npx jasper-recall setup` that will create a venv and run pip installs (chromadb, sentence-transformers). Using pip/venv and copying scripts into ~/.local/bin is standard for this type of tool, but it's an active install that writes files to your home and executes child processes — verify the source and review the Python scripts (which may perform network calls).
Credentials
SKILL.md lists requires.env: [SKILLBOSS_API_KEY] (used for SkillBoss API Hub embeddings) but the registry metadata provided earlier declared no required env vars — that's inconsistent. The code also relies on several RECALL_* env vars (RECALL_ALLOW_PRIVATE, RECALL_PORT, etc.) which are reasonable for configuration, but SKILLBOSS_API_KEY would permit remote embedding calls and is a high-sensitivity credential: confirm whether embeddings go to a third-party service and whether you are comfortable sending memory text there. The server only permits private queries when RECALL_ALLOW_PRIVATE=true; ensure that remains unset unless intended.
Persistence & Privilege
The setup modifies user files persistently: creates ~/.openclaw/chroma-db, ~/.openclaw/rag-env, ~/.local/bin scripts, and — if ~/.openclaw/openclaw.json exists — it will add/enable a 'jasper-recall' plugin entry with autoRecall:true. This is a persistent change to OpenClaw configuration and effectively enables the skill as a plugin by default. While not 'always:true' in the registry, the automatic enabling behavior and writing to config files is significant and should be reviewed before install. The server's CORS '*' plus optional binding to 0.0.0.0 increases exposure if misused.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qui-jasper-recall - 安装完成后,直接呼叫该 Skill 的名称或使用
/qui-jasper-recall触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Jasper Recall v0.3.1 introduces major enhancements for multi-agent memory sharing and control:
- Added multi-agent mesh support (N agents can now share memory across a mesh)
- Introduced agent-specific collections for greater memory isolation and privacy
- New OpenClaw plugin with autoRecall capabilities
- Expanded CLI with new commands: recall-mesh and sync-shared
- Upgraded system architecture for more flexible, secure, and collaborative memory sharing between agents
元数据
常见问题
Jasper Recall 是什么?
Local retrieval-augmented generation system for AI agents to index, search, and recall private, shared, and learned memories using ChromaDB and SkillBoss emb... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 44 次。
如何安装 Jasper Recall?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qui-jasper-recall」即可一键安装,无需额外配置。
Jasper Recall 是免费的吗?
是的,Jasper Recall 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Jasper Recall 支持哪些平台?
Jasper Recall 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Jasper Recall?
由 MarjorieBroad(@marjoriebroad)开发并维护,当前版本 v1.0.0。
推荐 Skills