Smart Memory
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: smart-memory Version: 3.1.0 The skill bundle implements a sophisticated local memory architecture (Smart Memory v3.1) designed to provide AI agents with persistent, transcript-backed context. The system uses a FastAPI backend (server.py) and a Node.js adapter (smart-memory/index.js) to manage memory ingestion, retrieval, and background 'cognition' tasks like memory decay and conflict resolution. While the bundle includes scripts that perform system-level operations—such as install.sh (cloning a repository), postinstall.js (setting up a Python virtual environment), and openclaw-prime.sh (spawning a background server)—these actions are transparently documented and necessary for the stated purpose of a local cognitive engine. No evidence of data exfiltration, unauthorized remote control, or malicious prompt injection was found; the instructions provided to the agent are functional guidelines for surfacing relevant memories.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this way can execute whatever code is currently on the remote master branch and install-time scripts may change between review and use.
The installer encourages piping a remote script to bash, pulls the current GitHub master branch without a pinned release or checksum, and then runs npm install. This is a supply-chain risk, especially because the registry says there is no install spec.
# Usage: curl -sL https://raw.githubusercontent.com/BluePointDigital/smart-memory/master/install.sh | bash ... git clone --depth 1 "$REPO_URL.git" smart-memory-temp ... npm install --silent
Use a pinned release or commit hash, publish a real install spec, avoid curl-to-bash installation, and document exactly which commands will run before users install.
A normal npm install can run local commands and install dependencies before the user has separately reviewed those commands.
The static scan shows the npm postinstall script shells out. Because install.sh runs npm install and comments that postinstall creates the Python venv and installs requirements, users may get command execution during setup that is not represented in the registry install metadata.
const result = spawnSync(command, args, {Move environment setup into an explicit, documented command, or make postinstall no-op by default and require user confirmation for shelling out.
Any local client able to reach the service could potentially trigger major memory-state changes, not just search or commit normal memories.
The visible FastAPI route exposes a high-impact rebuild operation on the memory state, and the shown route does not include an authentication, confirmation, or scoping check.
@app.post("/rebuild") async def rebuild(request: Request): ... return jsonable_encoder(system.rebuild_all_memory_state())Gate destructive or bulk-mutating endpoints behind explicit user confirmation, local auth, or a separate admin mode, and document the operational impact.
Private conversation details, preferences, identities, and task history may remain on disk and be reused in future agent responses.
The skill intentionally persists transcripts as canonical truth and derives reusable memories from them. This is core to the stated purpose, but the stored content may contain sensitive user data and can later shape prompts.
- immutable local transcript logging with `sessions`, `transcript_messages`, and `memory_evidence` ... transcript messages are the source of truth
Install only if persistent local memory is desired; keep the data directory private, back it up carefully, and look for or request clear deletion/retention controls.
The agent may consult stored memory automatically when it thinks continuity or prior preferences matter.
The skill instructs the agent to call memory retrieval before certain answers. This is aligned with a memory tool, but it does steer tool use and response grounding.
Always retrieve before: - summarizing prior discussions - referencing earlier decisions - recalling user preferences
Keep this behavior enabled only if you want automatic continuity; otherwise require explicit user approval before memory retrieval or memory-based claims.