mem-rag-milvus

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a coherent memory/RAG skill, but it persistently stores assistant memories in multiple places and may send memory text or search queries to an Ollama embedding endpoint without clear opt-in or deletion coverage.

Before installing, decide what kinds of information the assistant may store. Avoid storing secrets unless you have set safe database and backup paths, understand that backup JSON files may retain deleted memories, and confirm that OLLAMA_URL points only to an embedding service you trust.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI06: Memory and Context Poisoning

What this means

Sensitive memories may remain in backup files even after a user or agent believes the memory was deleted.

Why it was flagged

The skill automatically backs up every stored memory to a JSON file, but the delete path only deletes from the active backend and does not remove backup copies.

Skill content

self._backup_to_file(content, metadata, memory_id)
...
def delete_memory(self, memory_id: int) -> bool:
        self.backend.delete(memory_id)

Recommendation

Add clear retention documentation and implement deletion or cleanup for backup files, or warn users that backups must be manually managed.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Memory contents or search queries could be sent to a local or configured embedding service, which may surprise users who expect SQLite-only local storage.

Why it was flagged

The embedding function sends the provided text to the configured Ollama endpoint; store and search call this with memory content and queries, including when SQLite is the default backend.

Skill content

response = requests.post(
                f"{self.ollama_url}/api/embed",
                json={"model": "bge-m3", "input": text},
                timeout=30
            )

Recommendation

Make embedding calls explicitly opt-in, document that memory text and queries are sent to OLLAMA_URL, and avoid calling embeddings in SQLite mode unless needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users must manage dependency installation themselves, and package versions are not pinned by the skill artifacts.

Why it was flagged

The skill documents manual installation of unpinned PyPI packages, while the registry metadata only requires python3 and there is no install spec.

Skill content

pip install requests pymilvus

Recommendation

Install dependencies from trusted sources and consider adding a pinned requirements file or install spec.