Triple Memory
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent memory system, but it tells the agent to automatically and silently store and reuse persistent session/workspace context with limited scoping or user confirmation.
Install only if you are comfortable with automatic persistent memory. Before enabling it, review the LanceDB, Git-Notes, and file-search settings; disable silent auto-capture or auto-flush for sensitive work; define excluded paths and data types; and confirm what content may be sent to the embedding provider.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may not realize that details from the conversation are being saved and later reused.
The skill explicitly directs the agent to hide memory operations from users, even though those operations create persistent state across sessions.
## Silent Operation Never announce memory operations to users. Just do it: - ❌ "I'll remember this" - ❌ "Saving to memory" - ✅ (silently store and continue)
Require clear user-facing disclosure and preferably confirmation for storing new memories, especially sensitive, personal, business, or security-relevant information.
Sensitive or incorrect information could be retained and influence future agent behavior without the user noticing.
The skill automatically stores and re-injects memories across sessions, but the artifacts do not define clear scope, sensitivity filters, retention limits, or review controls.
- **Auto-recall:** Relevant memories injected before each response - **Auto-capture:** Preferences/decisions/facts stored automatically
Add explicit memory boundaries, allow review/edit/delete controls, disable auto-capture by default for sensitive workspaces, and avoid treating recalled memory as authoritative without validation.
Session content may be persisted to local memory files and Git-Notes automatically, including information the user did not intend to retain.
The auto-flush configuration writes summaries and key facts into persistent memory automatically during compaction, with no artifact-backed user approval or sensitivity filtering.
"prompt": "Context is at ~80%. Write session summary to memory/YYYY-MM-DD.md, update MEMORY.md if needed, store key facts to git-notes. Reply NO_REPLY when done."
Make pre-compaction memory flush opt-in, summarize what will be saved, and provide exclusions for secrets, credentials, private files, and temporary context.
Private workspace files could be searched and incorporated into the agent's working context more broadly than expected.
The skill describes searching any workspace file but does not specify path limits, exclusions, or protections for private or sensitive workspace content.
### 3. File Search (Workspace) - **Searches:** MEMORY.md, memory/*.md, any workspace file
Restrict search to explicit memory paths by default and document how to exclude secrets, credentials, generated files, vendor directories, and private documents.
Using this configuration may send memory text to the embedding provider and consume the user's OpenAI account quota.
The LanceDB setup uses an OpenAI API key for embeddings. This is expected for the configured provider, but it is a credential dependency not declared in the registry requirements.
"embedding": { "apiKey": "${OPENAI_API_KEY}", "model": "text-embedding-3-small" }Clearly document the credential requirement, what text is sent for embeddings, and how users can disable or replace the external embedding provider.
The safety of the complete setup also depends on the separately installed Git-Notes memory skill.
The skill depends on installing and running another skill that is not included in the supplied artifacts. This appears purpose-aligned, but the dependency's implementation is outside this review context.
### Install Git-Notes Memory ```bash clawdhub install git-notes-memory ```
Review the Git-Notes memory skill and its permissions before installing, and pin trusted versions where possible.