Auto Memory
PassAudited by ClawScan on May 10, 2026.
Overview
Auto Memory’s code matches its advertised purpose, but users should remember that uploaded memories/files may be permanent and the Auto Drive API key must be protected.
This skill appears coherent and purpose-aligned. Before installing, be comfortable with permanent decentralized storage: only upload or save memories you truly want retained, protect the AUTO_DRIVE_API_KEY, and treat recalled memory chains as data to review rather than blindly trusted instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive information or misleading instructions saved into the chain could be difficult to remove and may affect future sessions.
This is the core feature, but it means saved context can persist indefinitely and later influence agent behavior if recalled or restored.
Agent memories are stored as a linked list on permanent decentralized storage... fully reconstructed from a single piece of information: the CID of its most recent experience.
Save only content you are comfortable making permanent, verify CIDs before recall or restore, and review recalled memories before treating them as trusted instructions.
Anyone who obtains the API key could use the user’s Auto Drive account capabilities, such as uploads and account checks.
The setup flow stores the Auto Drive API key locally. File permissions are restricted, and this is expected for the service integration.
echo "AUTO_DRIVE_API_KEY='${safe_key}'" >> "$AM_ENV_FILE"
chmod 600 "$AM_ENV_FILE"Keep the key private, rotate it if exposed, avoid sharing terminal output or config files containing it, and use the least-privileged key available.
A selected file may be uploaded to external decentralized storage and receive a permanent CID.
The upload script sends the user-specified file contents to the Auto Drive API. This is purpose-aligned, but uploading the wrong file could permanently expose private data.
-F "file=@$FILE_PATH"
Confirm the exact file path and contents before upload, and do not upload secrets, credentials, or private files unless permanence is intended.
Users have less external provenance information for a skill that handles credentials and permanent storage.
The registry metadata does not provide an upstream source or homepage. The provided code is reviewable and no hidden installer is shown, but provenance is limited.
Source: unknown Homepage: none
Install only from a trusted registry/source and review the included scripts before use, especially before entering an API key.