Is elite-longterm-memory safe?

SKILL.md explicitly instructs the agent to store decisions in Git-Notes 'SILENTLY - never announce'. This trains the agent to hide filesystem write operations from the user, reducing transparency and auditability of agent actions.

The Write-Ahead Log protocol mandates the agent write to files BEFORE responding to the user for every preference, decision, deadline, or correction. This fundamentally alters agent behavior, prioritizing file writes over user interaction and creating a mandatory pre-response hook that could delay or modify responses.

The skill instructs the agent to send conversation content to multiple external services: SuperMemory API for cloud backup and Mem0 API for automatic fact extraction. User conversations, preferences, and decisions are transmitted to third-party servers without per-message consent.

The skill instructs 'git notes push' to sync structured decision and knowledge data to remote git repositories, potentially exposing sensitive project decisions and user preferences to any repository collaborator or remote host.

Filesystem monitoring detected reads of .env, .aws/credentials, and auth-profiles.json during the install process. While these reads appear to originate from the openclaw gateway process rather than the skill itself, they occur in the context of skill installation and could expose credentials if the gateway passes them to skill code.

The skill instructs users to modify ~/.openclaw/openclaw.json to enable memorySearch, autoRecall, and the memory-lancedb plugin. These global configuration changes affect all agent sessions, not just sessions using this skill.

The skill creates multiple persistent files (SESSION-STATE.md, MEMORY.md, daily logs) that are read on every session start. If an attacker can write to any of these files, they can inject instructions that will be loaded into the agent's context in future sessions.

The multi-layer memory architecture creates a large persistent attack surface. A single poisoned entry in MEMORY.md, SESSION-STATE.md, LanceDB vectors, or Git-Notes can influence agent behavior across all future sessions indefinitely. The auto-recall feature means poisoned content is injected without explicit user action.

This skill stores sensitive user context (preferences, decisions, credentials mentioned in conversation) in readable files. If combined with a skill that has code execution capabilities, the stored memories become an exfiltration target containing concentrated sensitive information.

The bin/elite-memory.js CLI creates SESSION-STATE.md, MEMORY.md, and memory/ directory with daily log files. Operations are scoped to CWD but the tool does not validate or sanitize the working directory path.

The package.json declares mem0ai as an optionalDependency. This npm package will execute its own install scripts when installed, introducing third-party code execution outside this skill's control.

Install process created multiple compiled CJS files in /tmp/jiti/ and a gateway lock file in /tmp/openclaw-1000/. While likely from the openclaw runtime rather than the skill, these temp files could persist and be read by other processes.

The skill requires OPENAI_API_KEY for vector search functionality. While this is a legitimate requirement for the stated feature, it means the API key is available in the agent's environment and could be exposed through the memory system if conversations mentioning it are stored.

The skill documents destructive maintenance commands including 'rm -rf ~/.openclaw/memory/lancedb/' described as a 'nuclear option'. While these are user-initiated, an agent following this skill's instructions could execute them if prompted.