BlueColumn Memory
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: bluecolumn-memory Version: 1.0.1 The bluecolumn-memory skill is designed to provide AI agents with persistent semantic memory via the BlueColumn API. It interacts with a Supabase-hosted backend (xkjkwqbfvkswwdmbtndo.supabase.co) to store and retrieve text, documents, and agent observations. The instructions in SKILL.md and references/api.md are consistent with the stated purpose and include explicit safeguards advising the agent not to exfiltrate sensitive PII or full conversation history without user consent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private conversation details, decisions, or preferences could be stored and reused later through BlueColumn without the user noticing each time.
This directs the agent to store session summaries in persistent external memory. Although the skill also says to only send content the user explicitly wants stored, the proactive end-of-session instruction does not clearly require fresh user approval or define retention/deletion boundaries.
At the end of meaningful sessions, proactively push a summary to BlueColumn
Require explicit confirmation before every memory write, especially end-of-session summaries, and avoid storing sensitive personal, financial, medical, or confidential information unless the user clearly approves.
If the API key is placed in a broadly readable file or accidentally included in output, someone else could use the user's BlueColumn account.
The API key is expected for this provider integration, and the skill recommends the secret store. The fallback to TOOLS.md is less protective and users should treat the key as sensitive.
Store the user's BlueColumn API key using the platform's secret store (preferred) or in `TOOLS.md`
Use the platform secret store rather than TOOLS.md, avoid pasting the key into chats or logs, and rotate the key if it may have been exposed.
Users may rely on the skill's assurance and send sensitive memories to the endpoint without independently confirming the provider and privacy terms.
The skill makes strong trust and data-boundary claims about an external Supabase endpoint, while the provided registry metadata lists the source as unknown and no homepage. The artifacts do not independently verify those claims.
The supabase.co domain is BlueColumn's verified backend... All data stays within BlueColumn's managed environment.
Verify the BlueColumn domain, API endpoint, and data-retention/privacy policy independently before storing sensitive information.