ClawHub
Back to skill
v0.2.1

Engram

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:21 AM.

Analysis

Engram is a coherent local memory tool, but it encourages persistent storage and automatic reuse of sensitive memories, including credentials, and exposes memory access through local API/MCP interfaces without clear access controls.

GuidanceReview this carefully before installing. Engram’s core purpose is useful but sensitive: it creates long-lived agent memory. Do not allow it to store passwords, API keys, tokens, private client secrets, or regulated data unless you have reviewed the package and configured strict access controls. Treat recalled memories as suggestions, not truth, and regularly audit or delete stored memories.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
install:
  npm: engram-memory
  setup: |
    ...
    engram serve

The skill relies on an external npm package and local binary, while the supplied review artifacts contain only SKILL.md and no code files.

User impactThe documented package and server behavior cannot be verified from the provided artifacts alone.
RecommendationInstall only from a trusted npm source, review the package provenance, and verify what the server stores and exposes before using it with private data.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
# Start server (run as daemon or manually)
engram serve

The skill describes running a persistent local service, including as a daemon, which continues operating beyond a single agent response.

User impactA background memory service may continue storing, serving, or updating memories after the immediate task is complete.
RecommendationRun the server only when needed, understand where data is stored, and stop or disable the daemon when persistent memory is not desired.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityHighConfidenceHighStatusConcern
SKILL.md
Facts learned during work (credentials, preferences, dates)

The skill explicitly lists credentials as information to store in durable semantic memory, which creates a high-impact sensitive-data retention risk.

User impactPasswords, tokens, or other secrets could be saved into long-lived agent memory and later recalled or exposed in future sessions.
RecommendationDo not store credentials or secrets in Engram; add explicit rules requiring user approval and secret redaction before memory ingestion.
Memory and Context Poisoning
SeverityMediumConfidenceHighStatusConcern
SKILL.md
**On every session start**, run:
```bash
engram search "<current task context>" --limit 10
```

The skill requires automatic cross-session memory retrieval at every session start, making stored memories persistent context that can influence future agent behavior.

User impactIncorrect, stale, sensitive, or poisoned memories may be repeatedly injected into future work and shape the agent's decisions.
RecommendationRequire user-visible review of recalled memories, provide deletion/correction workflows, and avoid treating retrieved memories as authoritative.
Insecure Inter-Agent Communication
SeverityMediumConfidenceMediumStatusConcern
SKILL.md
Server runs at `http://localhost:3400` ... **MCP tools:** `engram_add`, `engram_search`, `engram_recall`, `engram_forget`

The artifacts expose persistent memory operations over a local REST server and MCP tools, but do not document authentication, authorization, or client identity boundaries.

User impactOther local tools or agent integrations may be able to read, add, recall, or forget memories if they can reach the local server or MCP integration.
RecommendationDocument and enforce access controls for the REST API, dashboard, and MCP server; restrict clients and avoid storing sensitive data unless access is well bounded.