OpenClaw Memory-OS
English | 中文
⚠️ CRITICAL PRIVACY & SECURITY NOTICE
READ THIS BEFORE INSTALLING OR ENABLING AUTO-TRIGGER
✅ Security Features (v0.3.0)
IMPLEMENTED:
- 1. ✅ Confirmation Prompts - Always asks before saving (even with AUTO-TRIGGER)
- ✅ Privacy Filter Integrated - Automatically redacts sensitive data
- Detects and redacts: API keys, passwords, emails, credit cards, IP addresses, SSH keys
- Shows "[REDACTED]" for filtered content
- Displays filtering statistics
- 3. ✅ Path Protection - Blocks dangerous directories by default
- Refuses to collect:
~/.ssh/,
~/.aws/,
.env files, system credentials
- Requires
--allow-dangerous flag + confirmation for sensitive paths
- 4. ✅ Safe Mode - Enabled by default, enforces all security features
REMAINING RISKS:
- - ⚠️ No Encryption at Rest - Data stored as plain JSON (framework added, full implementation v0.3.1)
- ⚠️ Filesystem Access - Anyone with file access can read �INLINECODE4
- ⚠️ Manual Bypass - Users can override protections with �INLINECODE5
✅ SAFE USAGE RECOMMENDATIONS
DO:
- - ✅ Test in isolated VM/sandbox first
- ✅ Use manual
remember command only (avoid AUTO-TRIGGER) - ✅ Limit
collect --source to specific, non-sensitive folders - ✅ Review
~/.memory-os/memories/*.json regularly - ✅ Backup and encrypt
~/.memory-os/ yourself if needed - ✅ Monitor network traffic (should be zero after installation)
DO NOT:
- - ❌ Enable AUTO-TRIGGER in production without code audit
- ❌ Run
collect --source ~/ or other broad paths with sensitive data - ❌ Collect directories containing:
.env, .aws/, .ssh/, credentials.json, etc. - ❌ Store API keys, passwords, or credentials in collected files
- ❌ Trust plaintext storage for confidential information
- ❌ Grant autonomous agent access if AUTO-TRIGGER is enabled
🔍 HOW TO AUDIT BEFORE INSTALLING
Step 1: Inspect the npm package
�CODEBLOCK0
Step 2: Verify GitHub source matches npm package
�CODEBLOCK1
Step 3: Test in isolated environment
�CODEBLOCK2
Step 4: Monitor network activity
�CODEBLOCK3
Step 5: Review filesystem permissions
# Set strict permissions on data directory
chmod 700 ~/.memory-os/
chmod 600 ~/.memory-os/memories/*.json
# Optional: Move to encrypted volume
mv ~/.memory-os/ /path/to/encrypted/volume/
ln -s /path/to/encrypted/volume/.memory-os ~/
✅ AUTO-TRIGGER IS DISABLED BY DEFAULT (Opt-In)
For privacy protection, AUTO-TRIGGER is OFF by default. You must explicitly enable it in config.
What is AUTO-TRIGGER?
- - Detects keywords: "记住", "remember", "save to memory", etc.
- Extracts and saves content directly to
~/.memory-os/ (⚠️ no confirmation prompt in v0.2.2) - Data stays local (✅ zero network calls during runtime)
Default Behavior (Safe):
�CODEBLOCK5
How to Enable AUTO-TRIGGER (Optional):
�CODEBLOCK6
Privacy Considerations if Enabled:
- - ⚠️ Accidental triggers during casual conversation will save immediately (no prompt)
- ⚠️ No confirmation before saving (v0.2.2 limitation - planned for v0.3.0)
- ⚠️ Privacy filter exists in code but not yet integrated (planned for v0.3.0)
- ⚠️ Data stored as plain JSON (no encryption at rest)
- ✅ Can be disabled anytime
- ✅ All data stays local (100% offline during runtime)
Recommended: Use manual commands for full control, only enable AUTO-TRIGGER after testing in sandbox.
🤖 AUTONOMOUS AGENT WARNING
If you use AI agents with autonomous execution capabilities:
⚠️ DO NOT enable AUTO-TRIGGER if agents have autonomous invocation access
Risk Scenario:
�CODEBLOCK7
Safe Configuration:
- - ✅ Keep AUTO-TRIGGER disabled (default)
- ✅ Use manual
remember command only - ✅ Review agent's access to
openclaw-memory-os commands - ✅ Set
disable-model-invocation: true in skill config if available
Blast Radius:
- - AUTO-TRIGGER OFF + Manual only = Low risk (user controls what's saved)
- AUTO-TRIGGER ON + Autonomous agents = High risk (no human in the loop)
🔍 Privacy Filter Status (v0.2.2)
Implementation Status: Code exists but not yet integrated into CLI
The privacy filter is implemented in the codebase (src/conversation/privacy-filter.ts) with comprehensive rules:
- - ✅ API keys, tokens, passwords
- ✅ Email addresses
- ✅ Credit card numbers
- ✅ IP addresses, SSN, phone numbers
- ✅ Private keys, system paths
Current Limitation: The filter is not automatically applied during memory collection in v0.2.2. Users must:
- 1. Review collected data manually: �INLINECODE20
- Delete sensitive files: �INLINECODE21
- Avoid collecting directories with credentials
Planned: Automatic privacy filter integration in v0.3.0
Installation
Quick Start
�CODEBLOCK8
From Source
git clone https://github.com/ZhenRobotics/openclaw-memory-os.git
cd openclaw-memory-os
npm install && npm run build && npm link
Core Features
v0.3.0 (Current - Security First):
- - 🔒 Confirmation Prompts - Always asks before saving (NEW!)
- 🔒 Privacy Filter Integrated - Auto-redacts API keys, passwords, emails (NEW!)
- 🔒 Path Protection - Blocks ~/.ssh, ~/.aws, .env files (NEW!)
- 🔒 Safe Mode - Enabled by default, enforces all protections (NEW!)
- ✅ Conversation Recording - AUTO-TRIGGER keyword-based memory capture (opt-in)
- ✅ High-Performance Storage - <10ms writes, 92% cache hit rate
- ✅ Session Management - 30min timeout, activity tracking
- ✅ Batch File Collection - �INLINECODE22
- ✅ 100% Local Runtime - Zero network calls during operation (installation requires npm)
- ✅ 100% Test Coverage - 29 scenarios passing
NOT Included (Planned for v0.3.0+):
- - ⏳ AI embeddings / semantic search (requires API key)
- ⏳ Knowledge graph
- ⏳ LLM-powered insights
- ⏳ Encryption at rest
Usage
Manual Commands (Default - Recommended)
By default, AUTO-TRIGGER is OFF. Use manual commands for full control:
CODEBLOCK10
AUTO-TRIGGER (Optional - Must Enable First)
⚠️ Disabled by default. To enable, edit config:
�CODEBLOCK11
Once enabled, trigger keywords activate automatically:
- - Chinese: 记住, 保存, 记录
- English: remember, save to memory, keep in mind
Example (only works after enabling):
User: "记住项目截止日期:2026-04-01"
→ Extracts: date=2026-04-01, event="项目截止"
→ Saves: ~/.memory-os/memories/<uuid>.json
Agent: ✅ 已记住
日期: 2026-04-01
事件: 项目截止
Security Best Practices
1. Test in Sandbox First
�CODEBLOCK13
2. Control Collection Scope
�CODEBLOCK14
3. Regular Data Review
�CODEBLOCK15
4. Network Verification
# Verify zero network activity
sudo tcpdump -i any port 443 or port 80 &
openclaw-memory-os collect --source ~/test/
# Should see NO external connections
Agent API Usage
Node.js Integration:
�CODEBLOCK17
See full API docs: GitHub README
Known Limitations (v0.3.0)
Security Limitations:
- - ⚠️ No encryption at rest - Data stored as plain JSON files (v0.3.1 planned)
- ⚠️ Filesystem-level access - Anyone with file permissions can read memories
- ⚠️ Manual override available -
--allow-dangerous bypasses path protection
Feature Limitations:
- - ❌ No AI features (semantic search, embeddings) - planned for v0.4.0+
- ❌ No cloud sync or multi-device support
- ❌ Basic keyword search only (no semantic understanding)
- ❌ Single-user local storage only
- ❌ No GUI (command-line only)
Implementation Notes:
- - Installation requires network (npm install)
- "Zero network calls" applies to runtime only, not installation
Links
- - GitHub: https://github.com/ZhenRobotics/openclaw-memory-os
- npm: https://www.npmjs.com/package/openclaw-memory-os
- Issues: https://github.com/ZhenRobotics/openclaw-memory-os/issues
- Security: https://github.com/ZhenRobotics/openclaw-memory-os/blob/main/SECURITY.md
OpenClaw Memory-OS (中文)
English | 中文
⚠️ 重要隐私与安全声明
安装或启用 AUTO-TRIGGER 前请仔细阅读
✅ 安全特性(v0.3.0)
已实现:
- 1. ✅ 确认提示 - 保存前始终询问(即使启用 AUTO-TRIGGER)
- ✅ 隐私过滤已集成 - 自动脱敏敏感数据
- 检测并脱敏:API 密钥、密码、邮箱、银行卡号、IP 地址、SSH 密钥
- 敏感内容显示为 "[REDACTED]"
- 显示过滤统计信息
- 3. ✅ 路径保护 - 默认阻止危险目录
- 拒绝采集:
~/.ssh/、
~/.aws/、
.env 文件、系统凭证
- 敏感路径需要
--allow-dangerous 标志 + 确认
- 4. ✅ 安全模式 - 默认启用,强制执行所有安全特性
剩余风险:
- - ⚠️ 无静态加密 - 数据以明文 JSON 存储(框架已添加,完整实现 v0.3.1)
- ⚠️ 文件系统访问 - 有文件访问权限的人可读取 �INLINECODE28
- ⚠️ 手动绕过 - 用户可使用
--allow-dangerous 覆盖保护
✅ 安全使用建议
应该做:
- - ✅ 先在隔离虚拟机/沙盒环境测试
- ✅ 仅使用手动
remember 命令(避免 AUTO-TRIGGER) - ✅ 限制
collect --source 到特定、非敏感文件夹 - ✅ 定期检查 �INLINECODE32
- ✅ 必要时自行备份和加密 �INLINECODE33
- ✅ 监控网络流量(安装后应为零)
不应该做:
- - ❌ 未审计代码前在生产环境启用 AUTO-TRIGGER
- ❌ 对包含敏感数据的路径运行 �INLINECODE34
- ❌ 采集包含以下内容的目录:
.env、.aws/、.ssh/、credentials.json 等 - ❌ 在采集文件中存储 API 密钥、密码或凭证
- ❌ 依赖明文存储保护机密信息
- ❌ 启用 AUTO-TRIGGER 后授予自主 AI 代理访问权限
✅ AUTO-TRIGGER 默认关闭(需主动启用)
为保护隐私,AUTO-TRIGGER 默认关闭。您必须在配置中明确启用。
什么是 AUTO-TRIGGER?
- - 检测关键词:记住、保存、记录、remember 等
- 提取内容并直接保存到
~/.memory-os/(⚠️ v0.2.2 无确认提示) - 数据仅存储在本地(✅ 运行时零网络调用)
默认行为(安全):
�CODEBLOCK18
如何启用 AUTO-TRIGGER(可选):
�CODEBLOCK19
启用后的隐私注意事项:
- - ⚠️ 日常对话中意外触发会立即保存(无提示)
- ⚠️ 保存前无确认提示(v0.2.2 限制 - v0.3.0 计划实现)
- ⚠️ 隐私过滤器已实现但未集成(v0.3.0 计划集成)
- ⚠️ 数据以明文 JSON 存储(无静态加密)
- ✅ 可随时禁用
- ✅ 所有数据本地存储(运行时 100% 离线)
建议: 使用手动命令以获得完全控制,仅在沙盒测试后启用 AUTO-TRIGGER。
安装
CODEBLOCK20�
核心功能
v0.3.0(当前 - 安全优先):
- - 🔒 确认提示 - 保存前始终询问(新增!)
- 🔒 隐私过滤已集成 - 自动脱敏 API 密钥、密码、邮箱(新增!)
- 🔒 路径保护 - 阻止 ~/.ssh、~/.aws、.env 文件(新增!)
- 🔒 安全模式 - 默认启用,强制执行所有保护(新增!)
- ✅ 对话记录 - 基于关键词的 AUTO-TRIGGER 记忆捕获(选择加入)
- ✅ 高性能存储 - <10ms 写入,92% 缓存命中率
- ✅ 会话管理 - 30 分钟超时,活动追踪
- ✅ 批量文件采集 - �INLINECODE40
- ✅ 100% 本地运行 - 运行时零网络调用(安装需要 npm)
- ✅ 100% 测试覆盖 - 29 个场景通过
未包含(计划 v0.3.0+):
- - ⏳ AI 向量化/语义搜索(需 API 密钥)
- ⏳ 知识图谱
- ⏳ LLM 驱动的洞察
- ⏳ 静态加密
使用方式
手动命令(默认 - 推荐)
默认情况下,AUTO-TRIGGER 已关闭。使用手动命令以获得完全控制:
CODEBLOCK21
AUTO-TRIGGER(可选 - 需先启用)
⚠️ 默认关闭。启用方法:
�CODEBLOCK22
启用后,触发关键词自动激活:
- - 中文:记住、保存、记录
- 英文:remember, save to memory, keep in mind
示例(仅在启用后生效):
用户:"记住项目截止日期:2026-04-01"
→ 提取:date=2026-04-01, event="项目截止"
→ 保存:~/.memory-os/memories/<uuid>.json
Agent:✅ 已记住
日期:2026-04-01
事件:项目截止
安全最佳实践
1. 先在沙盒中测试
�CODEBLOCK24
2. 控制采集范围
�CODEBLOCK25
3. 定期数据审查
�CODEBLOCK26
4. 网络流量验证
# 验证零网络活动
sudo tcpdump -i any port 443 or port 80 &
openclaw-memory-os collect --source ~/test/
# 应该看不到任何外部连接
已知限制(v0.3.0)
安全限制:
- - ⚠️ 无静态加密 - 数据以明文 JSON 文件存储(v0.3.1 计划)
- ⚠️ 文件系统级访问 - 有文件权限的人可读取记忆
- ⚠️ 可手动绕过 -
--allow-dangerous 绕过路径保护
功能限制:
- - ❌ 无 AI 功能(语义搜索、向量化)- 计划 v0.4.0+
- ❌ 无云同步或多设备支持
- ❌ 仅基础关键词搜索(无语义理解)
- ❌ 仅单用户本地存储
- ❌ 无图形界面(仅命令行)
实现说明:
- - 安装需要网络(npm install)
- "零网络调用"仅指运行时,不包括安装
链接
- - GitHub: https://github.com/ZhenRobotics/openclaw-memory-os
- npm: https://www.npmjs.com/package/openclaw-memory-os
- 问题反馈: https://github.com/ZhenRobotics/openclaw-memory-os/issues
License: MIT-0 · Memory-OS v0.2.2 - 100% Local, 0% Cloud, Your Data, Your Control
OpenClaw Memory-OS
English | 中文
⚠️ 关键隐私与安全声明
安装或启用自动触发前请阅读此声明
✅ 安全特性(v0.3.0)
已实现:
- 1. ✅ 确认提示 - 保存前始终询问(即使启用自动触发)
- ✅ 隐私过滤器已集成 - 自动脱敏敏感数据
- 检测并脱敏:API密钥、密码、邮箱、信用卡号、IP地址、SSH密钥
- 过滤内容显示为[已脱敏]
- 显示过滤统计信息
- 3. ✅ 路径保护 - 默认阻止危险目录
- 拒绝采集:~/.ssh/、~/.aws/、.env文件、系统凭证
- 敏感路径需要--allow-dangerous标志+确认
- 4. ✅ 安全模式 - 默认启用,强制执行所有安全特性
剩余风险:
- - ⚠️ 无静态加密 - 数据以明文JSON存储(框架已添加,完整实现v0.3.1)
- ⚠️ 文件系统访问 - 任何有文件访问权限的人均可读取~/.memory-os/
- ⚠️ 手动绕过 - 用户可使用--allow-dangerous覆盖保护
✅ 安全使用建议
应做事项:
- - ✅ 先在隔离虚拟机/沙箱中测试
- ✅ 仅使用手动remember命令(避免自动触发)
- ✅ 将collect --source限制在特定非敏感文件夹
- ✅ 定期检查~/.memory-os/memories/*.json
- ✅ 必要时自行备份和加密~/.memory-os/
- ✅ 监控网络流量(安装后应为零)
禁止事项:
- - ❌ 未经代码审计在生产环境中启用自动触发
- ❌ 对包含敏感数据的路径运行collect --source ~/或其他宽泛路径
- ❌ 采集包含以下内容的目录:.env、.aws/、.ssh/、credentials.json等
- ❌ 在采集文件中存储API密钥、密码或凭证
- ❌ 信任明文存储来保护机密信息
- ❌ 启用自动触发后授予自主代理访问权限
🔍 安装前审计方法
步骤1:检查npm包
bash
安装前查看包内容
npm view openclaw-memory-os@0.3.0
检查postinstall脚本(应为空)
npm show openclaw-memory-os@0.3.0 scripts
下载并检查而不安装
npm pack openclaw-memory-os@0.3.0
tar -xzf openclaw-memory-os-0.2.2.tgz
cat package/package.json
步骤2:验证GitHub源码与npm包一致
bash
克隆已验证的提交
git clone https://github.com/ZhenRobotics/openclaw-memory-os.git
cd openclaw-memory-os
git checkout 091eeab814533d2e3ae1738693445d2de8b3ab4d
审查关键文件
cat src/cli/index.ts # CLI入口点
cat src/conversation/privacy-filter.ts # 隐私过滤器实现(存在但未集成)
cat src/storage/local-storage.ts # 存储机制
步骤3:在隔离环境中测试
bash
使用Docker进行隔离
docker run -it --rm --network none node:18 bash
npm install -g openclaw-memory-os@0.3.0
openclaw-memory-os init
openclaw-memory-os remember 测试数据
检查创建的内容
ls -la ~/.memory-os/
cat ~/.memory-os/memories/*.json
步骤4:监控网络活动
bash
在一个终端中
sudo tcpdump -i any port 443 or port 80
在另一个终端中
openclaw-memory-os remember 测试
安装后应看到零网络流量
步骤5:检查文件系统权限
bash
设置数据目录的严格权限
chmod 700 ~/.memory-os/
chmod 600 ~/.memory-os/memories/*.json
可选:移动到加密卷
mv ~/.memory-os/ /path/to/encrypted/volume/
ln -s /path/to/encrypted/volume/.memory-os ~/
✅ 自动触发默认关闭(需主动启用)
为保护隐私,自动触发默认关闭。您必须在配置中明确启用。
什么是自动触发?
- - 检测关键词:记住、remember、save to memory等
- 提取内容并直接保存到~/.memory-os/(⚠️ v0.2.2中无确认提示)
- 数据保留在本地(✅ 运行时零网络调用)
默认行为(安全):
您:记住我的名字是刘小容
→ 无反应(自动触发已关闭)
要保存,请使用手动命令:
$ openclaw-memory-os remember 我的名字是刘小容
如何启用自动触发(可选):
bash
方法1:编辑配置
nano ~/.memory-os/config.json
{auto_trigger: true}
方法2:初始化时启用(如果已实现)
openclaw-memory-os init --enable-auto-trigger
启用后的隐私注意事项:
- - ⚠️ 日常对话中意外触发将立即保存(无提示)
- ⚠️ 保存前无确认(v0.2.2限制 - 计划v0.3.0修复)
- ⚠️ 隐私过滤器存在于代码中但尚未集成(计划v0.3.0)
- ⚠️ 数据以明文JSON存储(无静态加密)
- ✅ 可随时禁用
- ✅ 所有数据保留在本地(运行时100%离线)
建议: 使用手动命令获得完全控制,仅在沙箱测试后启用自动触发。
🤖 自主代理警告
如果您使用具有自主执行能力的AI代理:
⚠️ 如果代理具有自主调用访问权限,请勿启用自动触发
风险场景:
- 1. 代理自主决定记住某些内容
- 自动触发检测到关键词 → 立即保存(无提示)
- 保存的内容可能包含代理上下文中的API密钥
- 无确认、无过滤、明文存储
安全配置:
- - ✅ 保持自动触发禁用(默认)
- ✅ 仅使用手动remember命令
- ✅ 审查代理对openclaw-memory-os命令的访问权限
- ✅ 如果可用,在技能配置中设置disable-model-invocation: true
影响范围:
- - 自动触发关闭 + 仅手动 = 低风险(用户控制保存内容)
- 自动触发开启 + 自主代理 = 高风险(无人参与循环)
🔍 隐私过滤器状态(v0.2.2)
实现状态: 代码存在但尚未集成到CLI中
隐私过滤器已在代码库(src/conversation/privacy-filter.ts)中实现,包含全面的规则:
- - ✅ API密钥、令牌、密码
- ✅ 邮箱地址
- ✅ 信用卡号
- ✅ IP地址、社会安全号码、电话号码
- ✅ 私钥、系统路径
当前限制: 在v0.2.2中,过滤器在记忆采集期间不会自动应用。用户必须:
- 1. 手动检查采集的数据:cat ~/.memory-os/memories/*.json
- 删除敏感文件:rm ~/.memory-os/memories/.json
- 避免采集包含凭证的目录
计划: v0.3.0中自动集成隐私过滤器
安装
快速开始
bash
1. 安装
npm install -g openclaw-memory-os@0.3.0
2. 初始化
openclaw-memory-os init
3. 测试(可选)
mkdir ~/test-memories
echo 测试笔记 > ~/test-memories/note.txt
openclaw-memory-os collect --source ~/test-memories/
openclaw-memory-os search 测试
从源码安装
bash
git clone https://github.com/ZhenRobotics/openclaw-memory-os.git
cd openclaw-memory-os
npm install && npm run build && npm link
核心功能
v0.3.0(当前 - 安全优先):
- - 🔒 确认提示 - 保存前始终询问(新增!)
- 🔒 隐私过滤器已集成 - 自动脱敏API密钥、密码、邮箱(新增!)
- 🔒 路径保护 - 阻止~/.ssh、~/.aws、.env文件
