Openclaw Mem0

The code and SKILL.md implement a Mem0 memory plugin (platform and OSS modes) which matches the implied purpose. However the registry metadata declares no required environment variables or primary credential while the README/SKILL.md and plugin UI expect a Mem0 API key (MEM0_API_KEY) and host configuration. The package contains mem0ai and other dependencies in package.json/package-lock, but the skill metadata did not declare these needs. Missing top-level description/homepage in the registry is also a minor red flag.

SKILL.md instructs the agent to Auto‑Recall (search memories and inject results into the system prompt before each agent turn) and Auto‑Capture (analyze each turn and store key facts after each turn). Those behaviors are expected for a memory plugin but effectively allow automatic modification of system prompts and automatic exfiltration of conversational content to the configured memory backend. The SKILL.md does not instruct reading unrelated local files or other credentials, but the pre-scan flagged 'system-prompt-override' is expected here because the plugin intentionally injects memory into the system prompt.

No explicit install spec was provided in the registry (instruction-only), which is lower risk, but the bundle includes source files, package.json, and a package-lock with many dependencies (mem0ai, openclaw, etc.). If you install via the OpenClaw CLI/npm, these dependencies will be fetched from npm. The presence of substantial dependencies is plausible but should be audited (package-lock is large and pulls many transitive libs).

The skill metadata lists no required env vars or primary credential, yet SKILL.md and plugin UI examples expect a Mem0 API key (and optionally MEM0_HOST) for platform mode. That mismatch is an inconsistency: the plugin will need credentials to send user memory to the Mem0 backend but the registry did not declare this. Requesting a single API key for the memory backend is proportional to the feature, but the missing declaration and no clear guidance about protecting sensitive info are concerning.

The plugin is not marked 'always: true' (good). It allows autonomous invocation (default) which is normal for plugins. However Auto‑Recall/Auto‑Capture grant it broad ability to read and inject context and to transmit conversation content to the configured backend — a powerful capability that can leak sensitive data if misconfigured or if the backend is untrusted. The plugin provides controls (customInstructions, toggles) but those rely on operator configuration.