Smart Memory
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Smart Memory’s local memory purpose is coherent, but its artifacts show persistent transcript storage plus an under-declared, unpinned installer/postinstall path that can execute local commands.
Review the installer before running it, prefer a pinned release over curl-to-bash or master-branch installs, and understand that this skill stores conversation transcripts and derived memories locally for future reuse. If installed, restrict access to the local API and data directory, and avoid using it for conversations you do not want persisted.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this way can execute whatever code is currently on the remote master branch and install-time scripts may change between review and use.
The installer encourages piping a remote script to bash, pulls the current GitHub master branch without a pinned release or checksum, and then runs npm install. This is a supply-chain risk, especially because the registry says there is no install spec.
# Usage: curl -sL https://raw.githubusercontent.com/BluePointDigital/smart-memory/master/install.sh | bash ... git clone --depth 1 "$REPO_URL.git" smart-memory-temp ... npm install --silent
Use a pinned release or commit hash, publish a real install spec, avoid curl-to-bash installation, and document exactly which commands will run before users install.
A normal npm install can run local commands and install dependencies before the user has separately reviewed those commands.
The static scan shows the npm postinstall script shells out. Because install.sh runs npm install and comments that postinstall creates the Python venv and installs requirements, users may get command execution during setup that is not represented in the registry install metadata.
const result = spawnSync(command, args, {Move environment setup into an explicit, documented command, or make postinstall no-op by default and require user confirmation for shelling out.
Any local client able to reach the service could potentially trigger major memory-state changes, not just search or commit normal memories.
The visible FastAPI route exposes a high-impact rebuild operation on the memory state, and the shown route does not include an authentication, confirmation, or scoping check.
@app.post("/rebuild") async def rebuild(request: Request): ... return jsonable_encoder(system.rebuild_all_memory_state())Gate destructive or bulk-mutating endpoints behind explicit user confirmation, local auth, or a separate admin mode, and document the operational impact.
Private conversation details, preferences, identities, and task history may remain on disk and be reused in future agent responses.
The skill intentionally persists transcripts as canonical truth and derives reusable memories from them. This is core to the stated purpose, but the stored content may contain sensitive user data and can later shape prompts.
- immutable local transcript logging with `sessions`, `transcript_messages`, and `memory_evidence` ... transcript messages are the source of truth
Install only if persistent local memory is desired; keep the data directory private, back it up carefully, and look for or request clear deletion/retention controls.
The agent may consult stored memory automatically when it thinks continuity or prior preferences matter.
The skill instructs the agent to call memory retrieval before certain answers. This is aligned with a memory tool, but it does steer tool use and response grounding.
Always retrieve before: - summarizing prior discussions - referencing earlier decisions - recalling user preferences
Keep this behavior enabled only if you want automatic continuity; otherwise require explicit user approval before memory retrieval or memory-based claims.