MemoryLayer
PassAudited by ClawScan on May 10, 2026.
Overview
MemoryLayer is a coherent hosted semantic-memory wrapper, but it requires account credentials and stores agent memories in an external service.
Install only if you are comfortable sending selected agent memories to MemoryLayer's hosted service. Use a dedicated API key if possible, confirm the configured API URL is trusted, and avoid storing passwords, tokens, private documents, or instructions that should not influence future agent behavior.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access the user's MemoryLayer account and the memories stored there using the configured credentials.
The client uses MemoryLayer account credentials or an API key and submits email/password to the configured API login endpoint. This is aligned with the service, but it gives the skill delegated account access.
this.email = options.email || process.env.MEMORYLAYER_EMAIL; ... this.apiKey = options.apiKey || process.env.MEMORYLAYER_API_KEY; ... await axios.post(`${this.apiUrl}/auth/login`, { email: this.email, password: this.password });Prefer an API key if available, rotate it if exposed, and verify MEMORYLAYER_URL points only to the intended MemoryLayer or trusted self-hosted endpoint.
Sensitive, incorrect, or maliciously influenced memories could persist and be reused in later prompts.
Arbitrary memory content is persisted to the remote API and later returned as formatted prompt context, so stored memories can influence future agent behavior.
await axios.post(`${this.apiUrl}/memories`, { content, ... }); ... lines.push(`- ${result.memory.content} (relevance: ${result.relevance_score.toFixed(2)})`);Avoid storing secrets or highly sensitive details, periodically review/delete stored memories if the service supports it, and have agents treat retrieved memories as context rather than authoritative instructions.