ClawHub

Supermemory

SuspiciousAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its stated SuperMemory purpose, but it includes a real-looking API key in setup and explicitly suggests storing API credentials in a remote memory service.

Review before installing. Use only your own SuperMemory API key, do not copy the embedded key, and avoid storing secrets such as API keys or passwords in the memory database unless you fully understand the provider’s access, retention, and sharing model.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

If a user follows the setup, their memories may be stored or searched under an unknown/shared SuperMemory account, exposing data to whoever controls that key and risking abuse or revocation of the leaked credential.

Why it was flagged

The skill requires a SuperMemory bearer key and provides a concrete, real-looking key instead of a placeholder. The registry metadata also reports no primary credential, so users may not get clear credential-boundary visibility.

Skill content
requires":{"env":["SUPERMEMORY_API_KEY"]} ... export SUPERMEMORY_API_KEY="sm_oiZHA2H...wEPe"
Recommendation

Remove and revoke the embedded key, use a placeholder such as "your-api-key", require each user to supply their own key securely, and declare SUPERMEMORY_API_KEY as the primary credential in registry metadata.

ConcernHigh Confidence
ASI06: Memory and Context Poisoning
What this means

Secrets saved as memories can be sent to SuperMemory, retrieved later into chats or agent context, and exposed if the account, key, or downstream context is compromised.

Why it was flagged

The documentation explicitly recommends storing API credentials as memories in an external persistent knowledge base, with no warning, redaction, retention limit, or confirmation guidance.

Skill content
"Remember that my API key is xyz" → `supermemory add "My API key is xyz" --description "API credentials"`
Recommendation

Do not encourage storing API keys, passwords, tokens, or other secrets. Add clear warnings, redact sensitive values by default, and require explicit user confirmation before saving sensitive content.