Shodh Local
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future agent replies may be shaped by previously stored memories, preferences, todos, or summaries.
The skill intentionally stores and recalls persistent memories into future agent context. This is aligned with the memory purpose, but stored sensitive, stale, or incorrect content could influence later responses.
Use for persistent remembering, semantic recall... Proactive context... Before reply: Recall recent context for continuity
Review and delete incorrect or sensitive memories, avoid storing secrets, and use clear user IDs/tags to prevent mixing unrelated contexts.
Anyone or any agent with the key could potentially read, create, change, or delete local memory and todo data through the server API.
The skill uses a local API key for the memory server, while the registry metadata declares no primary credential or required environment variable. This appears expected for the local service, but it is still access control for memory data.
**Key**: `<YOUR-API-KEY>` (X-API-Key, generate via shodh-memory-server)
Keep the key local, do not paste it into shared conversations or repositories, rotate it if exposed, and ensure the localhost service is not externally reachable.
The real behavior of the local memory server and TUI depends on the separate binaries the user installs or already has.
The instruction-only skill depends on local executables that are not included in the provided artifact set. This is disclosed and purpose-aligned, but the security of those binaries is outside the provided skill files.
**Binary**: `./shodh-memory-server` ... **TUI**: `cd tools/shodh-memory && ./shodh-tui`
Install the server and TUI only from a trusted source, verify versions/checksums where possible, and avoid running unknown local binaries.
Accidental or poorly scoped use could remove memories or todos from the local store.
The documented API includes mutation and deletion operations for persistent memory and todos. These are normal for the stated product, but destructive actions should remain user-controlled.
DELETE | /api/memory/{id} | Delete ... POST | /api/todos/delete | DeleteAsk for confirmation before deletes or bulk changes, and keep backups if the memory store becomes important.