Long-term memory via ChromaDB with local Ollama embeddings. Auto-recall injects relevant context every turn. No cloud APIs required — fully self-hosted.
Security Analysis
medium confidenceThe skill's code, instructions, and requirements are consistent with a local ChromaDB+Ollama memory plugin; no evidence of deliberate misdirection or hidden endpoints, though there are small implementation/packaging inconsistencies and a configuration-sensitive privacy surface to be aware of.
Name/description match the code and SKILL.md: it embeds user messages with Ollama and queries a ChromaDB collection. Requested resources are minimal and in-line with a memory plugin. Minor mismatch: metadata lists 'curl' as a required binary even though the runtime code uses fetch (HTTP) and does not call curl; install instructions assume running OpenClaw gateway commands but do not declare an 'openclaw' binary requirement.
SKILL.md and scripts limit behavior to embedding user messages, querying ChromaDB, and injecting results as memories. There are no instructions to read unrelated system files or environment variables. Note: auto-recall will send user messages to the configured Ollama and Chroma endpoints — if those URLs point to remote services, sensitive data will be transmitted.
No external install/downloads are used; the skill is instruction-only with bundled plugin files to copy into the user's OpenClaw extensions directory. This is a low-risk install model. Minor practical issue: the bundled runtime is TypeScript (scripts/index.ts); the instructions simply copy the .ts file without explaining compilation/runtime expectations — ensure your OpenClaw runtime supports TS files.
The skill declares no required environment variables or secrets, which fits its local-server design. The only sensitive surface is the configurable endpoints (chromaUrl, ollamaUrl): if set to remote hosts they will receive the agent's messages/embeddings, so credentials or remote endpoints would increase risk but are not required by default.
The skill is not always-enabled and is user-invocable; it registers as a plugin and injects memories before each turn if enabled. Autonomous invocation is default platform behavior — here it's expected for auto-recall. The plugin does not request system-wide privileges or modify other plugins.
Guidance
This plugin appears to do what it says: embed messages with Ollama and query a ChromaDB collection to provide long-term memory. Before installing: (1) Verify you trust the plugin source/contents (review scripts/index.ts and openclaw.plugin.json). (2) Ensure both chromaUrl and ollamaUrl point to services you control (prefer localhost) — otherwise user messages/embeddings would be sent off-host. (3) Note small inconsistencies: metadata lists 'curl' although the code uses fetch, and the plugin is shipped as a TypeScript (.ts) file — confirm your OpenClaw runtime handles .ts files or build a JS variant. (4) If you enable autoRecall, remember it will automatically inject historical data into every agent turn; disable autoRecall if you want manual control. If you want higher assurance, run the plugin in an isolated homelab instance and audit network requests while exercising the tool.
Latest Release
v1.2.1
v1.2.1: Updated documentation for hybrid search and collectionName config.
Popular Skills
Published by @msensintaffar on ClawHub
