Multi Agent Memory
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a local shared-memory/project-document system, but its helper scripts accept unvalidated names that can write outside the intended folder and may allow command injection.
Install only if you want persistent project and knowledge files shared across agents under .openclaw. Until the scripts validate input, use only simple trusted project and phase names, do not let agents run these helpers from untrusted text, and review generated memory files before relying on them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken project name could make the agent create or overwrite files outside the intended project-memory area.
The command-line project name is concatenated directly into filesystem paths and then used for directory creation and file writes. A name containing '../' can escape the intended /root/.openclaw/projects scope.
PROJECT_NAME="$1"
PROJECT_DIR="$BASE_DIR/projects/$PROJECT_NAME"
mkdir -p "$PROJECT_DIR"/{status,weekly,handoffs,docs/{requirements,specs},logs,milestones}Validate project names against a safe pattern such as letters, numbers, dots, underscores, and hyphens only; reject slashes and '..'; and verify the resolved path remains under the intended base directory.
If an agent runs the helper with a crafted project or phase name from untrusted text, it could execute unintended template-processing commands and potentially shell commands.
User-controlled project and phase values are inserted directly into a sed program without escaping. Special characters can break out of the replacement text and, on GNU sed, can potentially inject additional sed commands.
PROJECT_NAME="$1"
PHASE="$2"
sed "s/{PROJECT_NAME}/$PROJECT_NAME/g; s/{PHASE}/$PHASE/g; s/{DATE}/$DATE/g" \
"$TEMPLATE_DIR/handoff.md.template" > "$HANDOFF_FILE"Do not build sed programs from raw user input. Escape replacement values safely, use a safer templating method, and validate project and phase names before invoking the script.
Incorrect, stale, or adversarial notes in the shared memory could steer later agents or projects in the wrong direction.
The skill intentionally creates persistent shared project memory and tells agents to treat project documents as authoritative. This is purpose-aligned, but it means bad or outdated content can influence future agent actions.
**知识库(共享)**:`knowledge/decisions/`, `knowledge/patterns/`, `knowledge/glossary/` ... **信任文档**:context.md 是项目的"事实之源"
Review shared memory files periodically, keep provenance for important decisions, and avoid treating stored documents as higher priority than current user instructions.
The helper scripts may fail or rely on files not present in the reviewed artifact set.
The skill and scripts depend on template files, but the supplied file manifest contains only SKILL.md, package.json, and scripts. This looks incomplete rather than malicious, but the missing referenced files affect reviewability and runtime reliability.
所有模板文件位于:`~/.openclaw/skills/multi-agent-memory/templates/` ... 详细模板内容见 templates/ 目录。
Include the referenced templates in the package and declare required shell utilities or setup assumptions in the metadata.