BlueColumn Memory
ReviewAudited by ClawScan on May 10, 2026.
Overview
This memory skill is mostly coherent, but it can proactively store conversation summaries in an external persistent memory service without clearly requiring per-session approval.
Install only if you want an external BlueColumn memory service to store and retrieve information for your agent. Before use, verify the BlueColumn endpoint, keep the API key in a secret store, and require the agent to ask before saving any session summary or sensitive content.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private conversation details, decisions, or preferences could be stored and reused later through BlueColumn without the user noticing each time.
This directs the agent to store session summaries in persistent external memory. Although the skill also says to only send content the user explicitly wants stored, the proactive end-of-session instruction does not clearly require fresh user approval or define retention/deletion boundaries.
At the end of meaningful sessions, proactively push a summary to BlueColumn
Require explicit confirmation before every memory write, especially end-of-session summaries, and avoid storing sensitive personal, financial, medical, or confidential information unless the user clearly approves.
If the API key is placed in a broadly readable file or accidentally included in output, someone else could use the user's BlueColumn account.
The API key is expected for this provider integration, and the skill recommends the secret store. The fallback to TOOLS.md is less protective and users should treat the key as sensitive.
Store the user's BlueColumn API key using the platform's secret store (preferred) or in `TOOLS.md`
Use the platform secret store rather than TOOLS.md, avoid pasting the key into chats or logs, and rotate the key if it may have been exposed.
Users may rely on the skill's assurance and send sensitive memories to the endpoint without independently confirming the provider and privacy terms.
The skill makes strong trust and data-boundary claims about an external Supabase endpoint, while the provided registry metadata lists the source as unknown and no homepage. The artifacts do not independently verify those claims.
The supabase.co domain is BlueColumn's verified backend... All data stays within BlueColumn's managed environment.
Verify the BlueColumn domain, API endpoint, and data-retention/privacy policy independently before storing sensitive information.