Memory Sync CN
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API keys or account details stored in MEMORY.md could be copied into a searchable memory database and later surfaced to an agent or user unintentionally.
The script is designed to import every non-empty MEMORY.md section, including sections labeled as API keys and account information, into CortexGraph.
SECTION_TAGS["宏斌的 API Keys"]="api-keys" SECTION_TAGS["Moltbook 账号"]="moltbook" ... mcporter call cortexgraph.save_memory ... content="$section_escaped: $content_escaped"
Do not store secrets in MEMORY.md before using this skill, or modify the script to skip/redact API key, token, password, and account sections.
Private daily notes, mistaken entries, or adversarial text in logs can become persistent searchable memory and may influence future agent behavior.
The daily-log sync reads the whole daily memory file and persists it to CortexGraph without filtering, exclusions, or retention controls shown in the artifacts.
CONTENT=$(cat "$DAILY_FILE") ... mcporter call cortexgraph.save_memory ... content="[$DATE] $CONTENT_ESCAPED" ... source="memory/$DATE.md"
Use dry-run first, keep daily logs free of secrets and instructions from untrusted sources, and add allowlists/exclusion rules before syncing.
Running maintenance commands without review could remove or alter stored memories.
The documented maintenance commands can delete or merge memory entries. They are disclosed and purpose-aligned, but they mutate persistent memory.
mcporter call cortexgraph.gc mcporter call cortexgraph.consolidate_memories auto_detect=true mode=apply
Prefer dry-run or preview modes first, back up CortexGraph storage, and only run apply/GC commands when you are comfortable with the changes.
Installing unpinned external tools means behavior can depend on the current package versions and their supply-chain integrity.
The skill depends on external global packages from package managers, with no pinned versions or lockfile shown. This is expected for the tool integration but still affects provenance.
uv tool install cortexgraph npm install -g mcporter
Install from trusted sources, consider pinning package versions, and review cortexgraph/mcporter before syncing sensitive memories.