Supermemory
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real long-term memory tool, but it can automatically store and reuse conversation-derived facts across sessions and agents without clear controls.
Install only if you want persistent agent memory. Before enabling automatic ingestion or the plugin, decide what conversations may be stored, separate memories by project or agent, keep the API local/private, review how to delete stored memories, and use a controlled LLM API key.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive or incorrect information could be stored long-term and later influence the agent in unrelated sessions.
The skill is designed to persist facts and inject them into future agent context, including across sessions and agents, but does not describe controls for review, deletion, filtering, or preventing poisoned memories from influencing future tasks.
“Inject relevant context before the agent processes a message” ... “After meaningful agent turns, extract and store facts” ... “instant recall across sessions and agents.”
Use explicit opt-in for ingestion, keep separate memory stores per project or agent, review memories before reuse, and provide clear delete/forget controls.
One agent or workflow may be able to recall information stored by another, creating privacy and context-leakage risks.
The artifact explicitly supports multiple agents sharing one memory database and searching across agents, but it does not define permission boundaries or isolation between agents, projects, or users.
“Multi-agent: Single DB with agent_id tagging, cross-agent semantic search.”
Require separate namespaces or databases by default, enforce per-agent access controls, and make cross-agent recall an explicit user-approved action.
Ingesting memories may use the user's LLM account, incur costs, and send extracted text to the configured provider.
The skill expects a provider API key for fact extraction. This is purpose-aligned, but the registry metadata declares no required environment variables or primary credential.
“Requires an LLM API key for fact extraction (default: Anthropic Haiku).” ... “export ANTHROPIC_API_KEY=sk-...”
Use a scoped API key where possible, monitor provider usage, and avoid ingesting sensitive content unless the provider and retention settings are acceptable.
If the API is reachable by other local or network processes, they may be able to read or write memory contents.
The skill exposes memory search, entity lookup, and ingestion through a local API service, but the artifact does not state binding, authentication, or access-control behavior.
“supermemory serve # starts API on :8642” ... “GET /api/entities” ... “GET /api/entity/{name}” ... “POST /api/ingest.”Bind the service to localhost, add authentication if exposed beyond the local machine, and avoid running it on shared or untrusted systems.
Installing the package or plugin will run third-party code outside the reviewed skill artifact.
The reviewed artifact is instruction-only and directs installation of external PyPI/GitHub components that were not included for static review.
“pip install openclaw-supermemory[local]” ... “Install the supermemory-claw plugin ... for automatic memory injection and extraction.”
Review the package and plugin source, pin versions, install in an isolated environment, and avoid enabling the automatic plugin until its behavior is understood.