Agent Memory Store
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill implements a shared memory server, but its persistent memories are not access-controlled and it can send memory text to OpenAI using any ambient API key.
Only run this in an isolated environment unless you add authentication and owner checks. Avoid storing secrets, set TTLs, restrict the server to localhost or a trusted network, and unset OPENAI_API_KEY unless you intentionally want memory content and searches sent to OpenAI.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Other local or network-reachable clients may be able to read, write, or delete persistent agent memories, depending on how the environment exposes port 8768.
The service listens on all interfaces and the memory list/read/delete handlers do not show authentication or caller identity checks; when no agent parameter is supplied, no owner filter is applied.
HTTPServer(("0.0.0.0", PORT), Handler).serve_forever(); agent = qs.get("agent",[None])[0]; if agent: sql += " AND (owner=? OR public=1)"; get_db().execute("DELETE FROM memories WHERE id=?",(mid,))Bind to localhost by default, add authentication and owner authorization, require explicit agent scoping, and document any intended network exposure.
A mistaken or malicious client could plant false persistent memories that influence future agent behavior across restarts.
Any caller can choose the owner, content, public flag, and omit TTL, creating persistent memories that can later be retrieved by that owner or by all agents if marked public.
DB_FILE = "/root/.openclaw/workspace/data/agent_memory.db"; ... (mid, body["owner"], body["content"], json.dumps(body.get("tags",[])), 1 if body.get("public") else 0, time.time(), time.time()+ttl if ttl else None, emb)Authenticate writers, bind the owner field to the caller identity, keep provenance, moderate public memories, and default to short TTLs or per-agent isolation.
If OPENAI_API_KEY is present, stored memories and queries may be transmitted to OpenAI and billed to that account without a clear user-facing opt-in.
The code automatically uses an ambient OpenAI API key and sends stored memory text or search queries for embeddings, while the registry metadata declares no required env vars or primary credential.
OPENAI_KEY = os.getenv("OPENAI_API_KEY", ""); req = urllib.request.Request("https://api.openai.com/v1/embeddings", data=payload, headers={"Authorization": f"Bearer {OPENAI_KEY}", "Content-Type": "application/json"}); emb = embed_openai(body["content"])Declare the optional credential, make external embeddings an explicit opt-in setting, document exactly what text is sent, and provide a simple way to force local-only Jaccard search.