Graphiti
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Graphiti API wrapper with no artifact-backed malicious behavior, but it can write persistent graph memory and has a URL-configuration inconsistency to notice.
Install this only if you want the agent to query and add data to your Graphiti knowledge graph. Treat added episodes as persistent memory, avoid storing secrets, and verify the Graphiti endpoint with Clawdbot config rather than relying on the documented GRAPHITI_URL environment fallback.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may add or change remembered information in the connected Graphiti service.
The skill uses shell/curl instructions to perform a Graphiti API write. This is aligned with the stated purpose, but users should notice that the agent can create new knowledge-graph entries.
curl -s -X POST "$GRAPHITI_URL/messages" ... -d '{"name": "EPISODE_NAME", "content": "EPISODE_CONTENT"}'Use the add operation only for content you intentionally want stored, and review important additions before relying on them later.
Sensitive, incorrect, or adversarial content stored as a memory could be retrieved and reused in future tasks.
The skill intentionally writes persistent memory to a knowledge graph. Persistent memories can later influence search results and agent context.
Add a new episode/memory to the knowledge graph.
Avoid storing secrets or untrusted instructions as memories, and periodically review or remove outdated Graphiti entries.
If a user sets GRAPHITI_URL expecting a specific service, the skill may still use Clawdbot config or localhost instead.
The script overwrites GRAPHITI_URL from Clawdbot config before falling back to localhost, despite documentation saying the environment variable is supported. This can make endpoint selection differ from user expectations.
GRAPHITI_URL=$(clawdbot config get skills.graphiti.baseUrl 2>/dev/null || echo "") ... GRAPHITI_URL=${GRAPHITI_URL:-"http://localhost:8001"}Prefer setting `clawdbot config set skills.graphiti.baseUrl ...` and verify the endpoint before adding memories.