Supermemory
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its SuperMemory purpose, but it includes an API-key-like credential and encourages saving secrets to a remote memory service.
Do not use the API key shown in the skill. Use your own SuperMemory key through a secure environment variable, avoid saving passwords or tokens as memories, and confirm how SuperMemory stores, deletes, and protects your data before installing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Memories could be stored or searched through an account that is not the user's own, and the embedded key itself may be an exposed credential.
The setup block provides a concrete API-key-like value rather than a placeholder. The scripts use SUPERMEMORY_API_KEY as the bearer token, so users may be guided into using an exposed or shared account credential.
export SUPERMEMORY_API_KEY="sm_oiZHA2H...qwEPe"
Remove the hardcoded key, rotate or revoke it if it is real, declare SUPERMEMORY_API_KEY as a required credential in registry metadata, and require each user to supply their own key securely.
Passwords, tokens, or API keys saved this way could persist in a third-party service and later be retrieved, exposed, or mixed with other memory results.
The skill uses an external persistent memory service and explicitly presents API credentials as suitable memory content, which normalizes storing secrets in retrievable memory.
Store, search, and chat with your personal knowledge base using SuperMemory's API ... "Remember that my API key is xyz" -> supermemory add "My API key is xyz" --description "API credentials"
Add clear warnings not to store secrets, remove the credential-storage example, document retention/deletion behavior, and ask for explicit confirmation before storing sensitive-looking content.
The skill may fail or behave unexpectedly if those tools are unavailable, and the install UI may not clearly warn users about its runtime needs.
The scripts rely on local tools such as curl and python3 even though the registry requirements list no required binaries. This is purpose-aligned but under-declared setup information.
RESPONSE=$(curl -s -X POST "$API_URL" ...); echo "$RESPONSE" | python3 -m json.tool
Declare the required runtime tools and credential requirements in registry metadata, or provide a documented wrapper that ensures the dependencies are present.