Memory Hub
WarnAudited by ClawScan on May 10, 2026.
Overview
Memory Hub mostly matches its shared-memory purpose, but it needs review because its installer can execute code from crafted setup input and its shared rules/memory can persistently influence multiple agents.
Install only if you trust the skill and are comfortable storing personal preferences in a private GitHub repo. Avoid running the installer with untrusted setup values until the Python interpolation issue is fixed. Use a dedicated private repository, review changes to RULES.md and TOOLS.md carefully, do not store secrets, and approve the AGENTS.md persistence change only if you want shared memory loaded in future sessions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted repository URL or agent ID could cause local code execution when the installer writes its config.
The installer inserts user-entered REPO_URL and AGENT_ID directly into Python source passed to python3 -c. A value containing quotes and Python syntax could break out of the string and run local Python commands during installation.
read -r AGENT_ID ... python3 -c "... 'repo_url': '$REPO_URL', ... 'agent_id': '$AGENT_ID', ..."
Do not run the installer with untrusted or unusual setup values until this is fixed. The script should pass values through environment variables or JSON encoding, validate repo URLs and agent IDs, and avoid constructing Python source from raw user input.
A bad or compromised shared-memory entry could steer agent behavior across sessions or across multiple agents.
The shared repository includes RULES.md described as universal rules for all agents, and the read operation loads those files into the agent context. If that repo content is changed or poisoned, future agents may treat it as authoritative instructions.
RULES.md # 所有龙虾通用铁律 ... read — 读取共享记忆 ... 读取四个文件内容到上下文
Restrict write access to the shared repo, review diffs before accepting changes to RULES.md and TOOLS.md, and instruct agents to treat shared memory as user-reviewed context rather than higher-priority instructions.
Personal preferences, habits, and operational notes may be shared with every agent or account that can access the repo.
The skill intentionally stores personal preferences and shared knowledge in a GitHub-backed memory repo and reuses it across agents. This is purpose-aligned, but it is sensitive persistent context.
USER.md (owner preferences/habits), KNOWLEDGE.md ... RULES.md ... TOOLS.md ... across multiple agents ... 共享仓库建议设为 Private(含个人隐私)
Use a dedicated private repository, limit collaborators and tokens, avoid storing secrets or highly sensitive personal data, and periodically review the shared memory files.
The agent can mutate the configured GitHub memory repository when the write workflow is used.
The skill uses the user's Git/GitHub credentials to commit and push changes to the shared repository. That is expected for a GitHub memory-sync skill, but it is delegated account authority.
git -C ~/.openclaw/shared-memory add -A && git commit -m "🧠 [agent_id] 更新 FILE.md: 一句话描述" && git push
Use a dedicated private repo and least-privilege GitHub credentials where possible, and review commits made by agents.
Future sessions may automatically include shared-memory context after installation.
The installer can persistently modify AGENTS.md to read SHARED_MEMORY_CACHE.md in every session. It asks for confirmation, so this is disclosed and purpose-aligned, but it changes future agent startup behavior.
echo "是否允许自动写入?(y/n)" ... open('$AGENTS_FILE', 'w').write(content)Only approve the AGENTS.md change if you want this persistence, and remove the added line if you later disable the skill.