Skillv1.0.2

ClawScan security

MEMORIA: Persistent Memory Layer for AI Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 12:56 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (local persistent memory in a markdown file) matches its runtime instructions and it requests no credentials, but documentation inconsistencies and vague file-editing instructions create privacy and accidental-exfiltration risks that you should understand before installing.
Guidance: This skill appears to do what it says — keep a local markdown memory file and read/update it each session — but there are documentation inconsistencies and some ambiguous instructions you should address before installing: - Review the example content and remove any sensitive items (IP addresses, server hostnames, credentials). The examples include an IP even though the SKILL.md says 'NEVER' store IPs — don't follow the example. - Confirm how the agent will 'patch the specific section' of the file. Ask for or require a concrete, safe editing method (e.g., use an append-only section, use line-delimited YAML blocks, or a vetted library) to avoid accidental full-file overwrites. - Fix the .gitignore guidance: appending to '.gitignore' without a path may not protect the file. If you want global protection, configure your global gitignore (~/.gitignore_global) or explicitly add the project-level .gitignore where appropriate. Consider encrypting the file or keeping it outside repo roots if it may contain sensitive data. - Be careful about pairing with cloud-synced tools (Obsidian Sync, GitHub). If you enable syncing, the local-only privacy guarantee no longer holds. Decide whether you want the memory file to ever leave your machine. - After installation, inspect ~/.memoria/memory.md and ~/.memoria/archive/ to ensure permission bits and content are acceptable; consider reviewing backups and retention policy. If the author can clarify the concrete file-editing implementation and correct the example contradictions, the skill would look coherent and low-risk; until then, proceed cautiously and treat the memory file as potentially sensitive.

Review Dimensions

Purpose & Capability: noteName/description claim a local-only persistent memory stored in a markdown file and the SKILL.md only references reading/writing that file; no binaries, env vars, or external services are required — this is coherent. However, examples and README suggest pairing with services (Obsidian, GitHub) and an example contains a literal IP address (188.245.245.132) despite the SKILL.md explicitly saying 'NEVER: ... IP addresses', which is an internal documentation contradiction worth noting.
Instruction Scope: noteInstructions focus on reading and updating a local ~/.memoria/memory.md file at session start and on backups before writes. They explicitly prohibit storing credentials and IPs. Concerns: (1) the SKILL.md does not provide a concrete, safe patching mechanism — 'patch the specific section' is ambiguous and could lead to the agent overwriting or corrupting the file depending on implementation; (2) examples include sensitive-looking data (an IP) that contradict the 'NEVER' rule; (3) the security setup appends to '.gitignore' in the current directory rather than setting a global/project .gitignore path, which may not achieve the intended protection and could mislead non-technical users.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by a packaged installer.
Credentials: noteThe skill declares no required environment variables, binaries, or credentials — perfectly proportionate to a local-memory feature. Caveat: the skill grants the agent permission to read and write a local file every session; although the SKILL.md forbids storing secrets, users may accidentally put secrets (API keys, IPs, passwords) into the memory file, which gives the agent access to them. Also 'pairs with' suggestions (GitHub/Obsidian) could lead to syncing the file to cloud services if the user enables those integrations.
Persistence & Privilege: okThe skill is user-invocable, not always-included, and does not request special platform privileges. Autonomous invocation is allowed (the platform default) — combined with local file read/write this gives the agent ongoing access to stored context, which is expected for a memory skill but increases blast radius if the memory file contains secrets.