MemoryAI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
MemoryAI is a coherent long-term memory skill, but users should understand it can send and keep chat/context data on a MemoryAI service for later reuse.
Install only if you are comfortable sending selected memories, summaries, or session handoff content to the configured MemoryAI endpoint. Avoid storing secrets, protect the API key, verify the provider, and enable the optional background Context Guard only if you understand how to disable it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private chat content, project details, or mistaken memories may be stored and later recalled by the agent.
The skill intentionally persists and reuses conversation context and memories across sessions, which is central to its purpose but can retain sensitive or incorrect information.
Old session sends its conversation to your configured MemoryAI endpoint (HTTPS) ... New session retrieves the old conversation + related long-term memories
Do not store secrets or highly sensitive data, review what is saved, use retention/delete options where available, and treat restored memories as context to verify rather than unquestioned truth.
Anyone who obtains the API key could potentially access or modify the user’s MemoryAI data.
The client sends a configured MemoryAI API key as a bearer token for API requests, which is expected for the service but is a sensitive credential.
"Authorization": f"Bearer {api_key}"Prefer environment variables or secure secret storage, avoid committing config.json with a real key, and rotate the API key if it may have been exposed.
If enabled, the agent may perform periodic memory checks or compaction without visible replies.
The skill documents an optional recurring background job. It is disclosed and requires user permission, but it would keep operating on a schedule if enabled.
Background job to automatically monitor and compact memory ... create a cron job ... Schedule: every 15 minutes ... Delivery: none ... Always ask the user before creating the cron job.
Enable Context Guard only if desired, confirm the exact cron job that is created, and keep instructions for disabling or removing it.
Users have less independent information to verify the publisher, backend service, or update history.
The registry information does not provide a source repository or homepage, which limits provenance review for a skill that sends data to an external memory service.
Source: unknown; Homepage: none
Inspect the included code, verify the memoryai.dev service out-of-band, and install only if you trust the provider.