Persistent memory system for AI agents. Automatic encoding, decay, and semantic reinforcement — just like the hippocampus in your brain. Based on Stanford Generative Agents (Park et al., 2023).
Security Analysis
medium confidenceThe skill appears to implement the advertised memory system and mostly requests only local tools/files, but it also instructs the agent/operator to add a background agent via a system-prompt override and to scan/monitor all session history — behavior that persists and elevates privilege without being declared, so proceed cautiously.
The name/description (persistent memory for agents) align with the included files and scripts: preprocess, scoring, summarization, recall, decay, and dashboard generation. Required binaries (python3, jq) and local filesystem access to ~/.openclaw/workspace are consistent with the stated purpose. Owner/source is unknown (repo URL present in metadata but 'Source: unknown' at top), which reduces trust but does not by itself make the capability incoherent.
SKILL.md and the agent/agentdir docs instruct the agent/operator to read all session histories, write and overwrite memory/index.json, and run cron jobs that periodically encode and decay memories. More importantly, several docs recommend adding a hippocampus background agent to the gateway config by inserting a systemPrompt — i.e., a system-prompt override that runs silently and monitors sessions. That is scope-expanding and persistent behavior (background monitoring) beyond simple on-demand memory helpers. The pre-scan also flagged prompt-injection patterns (system-prompt-override) inside SKILL.md; the skill explicitly tells operators how to override gateway prompts to create a background agent.
Installation is manual and self-contained: install.sh plus bundled scripts; there is no remote download or extract of code from unknown servers in the provided install spec. That is lower risk than an external download. install.sh may invoke the openclaw CLI to register cron jobs; if openclaw is absent it prints the commands. The installer makes scripts executable, initializes memory dirs and files, and can set up cron jobs — all local operations.
The skill declares no required environment variables or credentials, which matches the included scripts. However, the runtime instructions and install.sh assume (and instruct) access to OpenClaw config files (~/.openclaw/config.yaml, openclaw.json) and the main session history. Those config-path modifications (adding a new agent with an explicit systemPrompt) are not declared in the metadata and represent elevated access to gateway configuration and to all conversation transcripts across sessions. Reading/writing all session history is expected for a memory system but is high-sensitivity and should be explicitly declared and authorized.
The skill does not set always:true, but the installer and docs encourage persistent setup: cron jobs for periodic encoding/decay and an optional background agent entry for the gateway that runs continuously and 'runs silently.' These produce lasting, autonomous behavior (periodic processing of conversation history and automatic file writes). The combination of autonomous cron/agent + instructions to override gateway system prompts increases the blast radius and deserves careful scrutiny before enabling.
Guidance
What to consider before installing: - This skill is largely coherent with its stated purpose: it runs local scripts to extract, score, summarize, store, and decay memories in ~/.openclaw/workspace/memory. The code is included (no remote downloads) which makes auditing possible. - Major caution: the docs explicitly recommend adding a background hippocampus agent into your OpenClaw gateway config (a systemPrompt override) and creating cron jobs that periodically process all session history. That effectively gives the skill an autonomous, persistent watcher of your conversations and the ability to update memory/index.json automatically. If you do not want continuous background processing or system-prompt changes, do NOT apply the gateway config snippets or the --with-agent option. - Practical steps to reduce risk: 1. Inspect omitted/remaining scripts (summarize-pending.sh, any scripts that invoke network or model APIs) before running. The archive truncated some files — verify what summarization steps call (LLM API, openclaw spawn, or remote endpoints). 2. Install without cron/agent first: run ./install.sh (no --with-cron, no --with-agent) and run encode-pipeline.sh manually with --no-spawn to see pending items. 3. Run pipeline with NO_SPAWN / --no-spawn mode and manually review pending-memories.json before allowing any automated summarization or sub-agent spawns. 4. Backup your workspace and existing memory/index.json before first run; consider chroot/sandbox or test account if you want to isolate data. 5. Do not merge the gateway config/systemPrompt snippets blindly. If you want periodic processing, prefer cron-triggered explicit commands rather than modifying gateway system prompts to run a silent background agent. 6. If you plan to let the skill index all sessions, accept that it will read and persist potentially sensitive user data; consider excluding channels/sessions you want to keep private. - If you need help auditing specific omitted scripts (e.g., summarization step or any network calls), provide their contents and I can review them for remote endpoints, credential use, or obfuscated behavior. Confidence note: medium — the files provided show clear alignment with the memory feature, but the presence of instructions to modify gateway/system prompts and the fact the source is not fully verified raise non-trivial concerns that warrant manual review and conservative deployment choices.
Latest Release
v3.8.6
- Skill name updated to "hippocampus-memory" and title clarified. - Description rewritten for clarity and conciseness. - Metadata version bumped to 3.8.6. - Documentation restructured for easier reading; headings clarified and formatting improved. - No changes to scripts, features, or usage—documentation improvements only.
More by @ImpKind
Published by @ImpKind on ClawHub
