多Agent记忆系统
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Review recommended: the memory features are mostly disclosed, but agent registration can write directories from unvalidated agent IDs and the skill persistently stores prompt/tool summaries.
Install only if you want a persistent local memory system. Use a dedicated MEMORY_WORKSPACE, avoid entering secrets into captured prompts, do not provide an LLM API key unless needed, and ask the publisher to validate agent IDs, pin dependencies, document retention/deletion controls, and clarify that the dashboard metrics are real rather than simulated.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted agent name could cause the skill to create directories outside its intended memory workspace, potentially modifying unexpected local paths.
The agent ID is used directly to build a filesystem path for directory creation. Since the skill documents a register command that takes an agent ID, IDs containing path separators or absolute paths could escape the intended agents directory.
def register_agent(self, agent_id, agent_config=None): ... agent_path = self.agent_dir / agent_id; agent_path.mkdir(parents=True, exist_ok=True)
Validate agent IDs as simple safe names, reject absolute paths and '..', and resolve/check the final path stays under the agents directory before creating it.
Sensitive prompt or tool-use details may persist locally and may influence future retrieval or multi-agent context.
The hook system stores user prompt summaries, tool summaries, and other agent events into daily memory files for later use.
"tool_use": {"capture_fields": ["tool_name", "input_summary", "output_summary"]} ... "user_prompt": {"capture_fields": ["prompt_summary", "intent", "timestamp"]} ... daily_file = MEMORY_DIR / f"{today}.md"Use a dedicated MEMORY_WORKSPACE, avoid storing secrets in prompts, and ask for retention, deletion, and exclusion controls before enabling broad automatic capture.
If configured, the skill may rely on a third-party LLM credential; users need to know which provider/account is being used.
The skill documentation references an LLM API key even though registry metadata lists no primary credential or required environment variables. This appears optional and purpose-aligned, but it is under-declared.
MEMORY_LLM_API_KEY=your-api-key
Declare optional credentials in metadata, document provider scope, and do not provide an API key unless the LLM-assisted features are needed.
Dependency versions may vary between installations, and users may not realize these packages are part of setup.
The skill declares Python package dependencies in its own metadata, but the versions are not pinned and the registry section says there is no install spec.
install: - id: pip kind: pip package: lancedb ... - id: pip2 kind: pip package: numpy
Pin dependency versions and align registry install metadata with SKILL.md so users can review exactly what will be installed.
Users could over-trust dashboard health, cost, accuracy, or conflict-resolution numbers that are not actually measured.
The dashboard labels metrics as real-time, but the provided JavaScript generates displayed values randomly.
<p>健康度监控面板 - 实时数据</p> ... const totalMemories = Math.floor(Math.random() * 100) + 1200;
Treat the dashboard as demo data unless it is wired to real metrics, and label simulated values clearly.