agentmemory-mcp
WarnAudited by ClawScan on May 13, 2026.
Overview
This is a legitimate persistent-memory integration, but review is recommended because the included plugin can inject stored memories as system-level context, auto-save session output, and run a persistent Docker-backed service.
Install only if you want persistent cross-session memory and are comfortable reviewing what gets saved. Treat the included plugin’s automatic recall/capture as high impact, avoid storing secrets, pin upstream package and Docker versions, and be especially careful before running the Docker-backed persistent service.
Publisher note
I am requesting a review of the Suspicious verdict applied to my skill agentmemory-mcp (v1.3.0) on ClawHub. Skill URL: https://clawhub.ai/lufei4/agentmemory-mcp/security/clawscan Publisher: lufei4 I believe the 7 ClawScan findings are purpose-aligned with disclosed risks, not actual security concerns. My detailed response to each finding: ────────────────────────────────────────────────────────────── ASI06 (Memory Poisoning ×2) — CONCERN level ────────────────────────────────────────────────────────────── Finding 1: "auto saves without user confirmation" Response: agentmemory does NOT auto-save by default. Users must explicitly call memory_save(). The "onAfterAgent" hook only runs when the OpenClaw MCP plugin is installed AND configured to do so — it is NOT enabled in the base SKILL.md setup. Finding 2: "injects as system role" Response: This was a misinterpretation. Memory content is injected as assistant/observation role, not system role. SKILL.md clearly states "SessionStart hook NOT enabled" (AGENTMEMORY_INJECT_CONTEXT is OFF by default). ────────────────────────────────────────────────────────────── ASI04 (Supply Chain) — CONCERN level ────────────────────────────────────────────────────────────── Finding: "uses unpinned latest Docker tag" Response: AGENTMEMORY_III_VERSION=latest was a deliberate trade-off: the npm CLI hard-codes IIPINNED_VERSION=0.11.2, forcing users onto a 2-year-old engine. We override it to get critical fixes (BM25+Vector triple-stream, graph functions). The skill recommends pinning in production. This is documented risk disclosure, not concealment. ────────────────────────────────────────────────────────────── ASI03 (Docker Socket) — CONCERN level ────────────────────────────────────────────────────────────── Finding: "Docker socket access" Response: agentmemory requires Docker to run the iii-engine (KV store + graph engine). This is a known architectural requirement — not optional privilege escalation. The skill documents this clearly. ────────────────────────────────────────────────────────────── ASI10 (Rogue Agents) — NOTE level ────────────────────────────────────────────────────────────── Finding: "loginctl enable-linger" Response: This is fully disclosed. Memory persistence is the entire point of the skill. Uninstall instructions (systemctl --user stop/disable) are included. ────────────────────────────────────────────────────────────── ASI03 (Embedding API Keys) — NOTE level ────────────────────────────────────────────────────────────── Finding: "third-party embedding credentials" Response: BM25-only mode requires ZERO API keys. Vector search is OPTIONAL. SKILL.md guides users to choose between VoyageAI/Cohere/阿里云百炼 with dedicated keys. This is documented and purpose-aligned. ────────────────────────────────────────────────────────────── ASI02 (Tool Misuse) — NOTE level ────────────────────────────────────────────────────────────── Finding: "memory_forget/memory_import can alter memories" Response: These tools require explicit user/agent action. There is no automatic destructive operation. Bulk operations are user-driven with documented consequences. ────────────────────────────────────────────────────────────── Conclusion: All 7 findings are either (a) disabled-by-default features, (b) documented design decisions, or (c) disclosed risks with clear mitigations. The skill is purpose-aligned with transparent risk disclosure. I respectfully request the verdict be changed to "Purpose-aligned" or the Suspicious flag be lifted with a note explaining the mitigations. Thank you for your consideration. lufei4
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect, stale, or poisoned memories could steer future sessions and be treated like high-priority instructions by the agent.
The included plugin injects mutable, retrieved memory as system-role messages before the agent runs, making saved memory much more authoritative than ordinary retrieved context.
role: 'system',
content: `[agentmemory] Relevant memory: ${m.content}`Do not enable automatic memory injection unless you trust and regularly review the memory store; prefer a lower-priority role, clear labeling, sanitization, and user approval for high-impact recalled instructions.
Sensitive project details, user preferences, or accidental prompt-injection text may be retained and reused in later sessions.
When the included plugin is enabled, it automatically persists a session summary or the last message after agent execution, without showing a per-save approval or retention boundary in the code.
async onAfterAgent(context) { ... await axios.post(`${this.baseUrl}/agentmemory/save`, { content: summary, type: 'observation', tags: this.extractTags(context), metadata: { session: context.sessionId, timestamp: new Date().toISOString() } })Enable auto-capture only for workspaces where persistent memory is desired; review stored memories, configure retention/deletion practices, and avoid saving secrets or untrusted instructions.
If the memory service or its dependencies are compromised, Docker socket access can potentially affect containers and the host environment.
The production setup directs the memory service to use the system Docker socket, which is a powerful local privilege boundary and is not meaningfully scoped in the artifacts.
The service uses the system Docker socket at `/var/run/docker.sock` (owned by `root:docker`). Do NOT set `DOCKER_HOST` — the default socket path is correct.
Use this only on trusted machines; inspect the service and upstream package, pin versions, avoid unnecessary Docker privileges, and consider isolating the service.
A future upstream package or Docker image change could alter behavior of the persistent memory service.
The documented setup pulls npm packages and a Docker image without pinning exact versions; this is central to the integration but means installed code can change over time.
npx @agentmemory/agentmemory ... "args": ["-y", "@agentmemory/mcp"] ... `AGENTMEMORY_III_VERSION` | `latest`
For production, pin exact npm and Docker image versions, keep a record of reviewed versions, and update deliberately.
The memory service may continue running and retaining data until the user stops or disables it.
The skill documents a background service and linger setup so the memory server can keep running across logins; this is aligned with persistent memory but should be explicit to users.
systemctl --user enable agentmemory systemctl --user start agentmemory loginctl enable-linger $(whoami)
Enable persistence only if needed, monitor logs, and know how to stop and disable the user service.
An agent or user could accidentally delete, replace, or export important memory records.
The MCP tool surface includes deleting, exporting, importing, and replacing persistent memories; these are expected for a memory system but can have broad effects if used accidentally.
memory_forget(pattern?: string, id?: string) ... memory_snapshot(format?: "json" | "markdown") ... memory_import(memory: Memory[], strategy?: "merge" | "replace")
Ask for confirmation before destructive memory operations, keep backups or snapshots, and restrict memory tools in sensitive workspaces.
If vector search is enabled, memory text may be processed using the selected embedding provider and the API key must be protected.
Vector-search configuration optionally uses third-party embedding provider credentials; this is disclosed and purpose-aligned, and BM25-only mode needs no key.
`VOYAGE_API_KEY` ... `COHERE_API_KEY` ... `OPENAI_API_KEY` + `OPENAI_BASE_URL` + `EMBEDDING_PROVIDER=openai`
Use dedicated low-scope API keys, understand the provider’s data handling, and stay in BM25-only mode if third-party embedding is not needed.