Cortex
ReviewAudited by ClawScan on May 10, 2026.
Overview
Cortex is a coherent local memory tool, but it can persistently ingest broad local and connected-account data and expose it through MCP/background sync without enough scoping details.
Install only if you want a persistent agent memory database. Start with a small, non-sensitive folder, avoid '--all' connector sync, verify any downloaded binary, and confirm how to inspect, delete, and disable stored memories and background sync.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private notes or project files could become long-lived searchable agent memory and influence future agent behavior.
The skill persistently extracts and stores facts from broad user-selected files for reuse across sessions, but the artifacts do not define exclusions, retention limits, review steps, or how stored facts are prevented from being over-trusted later.
Persistent SQLite DB survives any session ... Import-first: Markdown, text, any file ... Every imported file gets facts extracted automatically
Import only scoped folders, review extracted memories, document deletion/retention controls, and avoid importing secrets or sensitive personal/account data.
If enabled, the tool may ingest sensitive email, drive, calendar, chat, or workspace data into persistent memory.
The documented connector mode can pull from several sensitive third-party accounts, including an all-providers sync, but the artifacts do not state credential scopes, approval boundaries, or what account data is imported.
8 connectors (GitHub, Gmail, Calendar, Drive, Slack, Notion, Discord, Telegram) ... cortex connect sync --all --extract
Use the minimum connector set, review OAuth/API scopes before authorizing, avoid '--all' until scopes are understood, and keep provider credentials separate and revocable.
A misconfigured MCP server could expose memory search or memory-management tools to unintended local or network clients.
The skill exposes memory through MCP, including an HTTP+SSE mode, but the artifacts do not describe binding address, authentication, client identity checks, or tool/resource permission boundaries.
cortex mcp # stdio mode cortex mcp --port 8080 # HTTP+SSE mode
Prefer stdio mode when possible, bind HTTP only to localhost, require authentication if supported, and limit which agents can access the MCP tools.
Cortex may keep importing sessions and connector data on a schedule if the user installs the service.
The background scheduler is disclosed and user-directed, but it creates ongoing sync behavior that can continue after the immediate task.
# Auto-import sessions + sync connectors every 30 min cortex connect schedule --every 30m --install
Install scheduled sync only if you want ongoing background ingestion, and confirm how to disable or uninstall the schedule.
The installed executable is not reviewable from these artifacts and depends on the current GitHub release at setup time.
The setup script downloads the latest release binary and makes it executable without a pinned version, checksum, or signature verification in the artifact.
DOWNLOAD_URL="https://github.com/$REPO/releases/latest/download/cortex-${OS}-${ARCH}" ... curl -fSL "$DOWNLOAD_URL" -o "$INSTALL_DIR/cortex" ... chmod +x "$INSTALL_DIR/cortex"Install a pinned release, verify checksums or signatures if available, and review the upstream project before running the binary.