Rag Memory
WarnAudited by ClawScan on May 18, 2026.
Overview
This RAG memory skill is purpose-aligned, but it can automatically send prompts and memory content to configured services, store raw memory text in Qdrant, and install persistent background sync jobs.
Install only if you are comfortable with memory files, database records, and some prompt text being sent to your configured embedding/Qdrant services. Use trusted self-hosted endpoints, least-privileged database/API credentials, review the missing systemd units before any sudo deployment, and consider disabling auto_inject unless you want automatic memory context on every response.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the configured Qdrant collection may be able to read chunks from memory files, skill docs, or database records.
Qdrant point payloads include the raw text chunk, so Qdrant stores readable memory/document content, not only vectors and metadata.
"payload": { "text": text, "chunk_index": i + j, **metadata }Document that raw text is stored in Qdrant, restrict Qdrant access, use trusted/self-hosted endpoints, and consider an option to omit or encrypt text payloads.
Private details in ordinary user prompts may be sent to the embedding service automatically, not only when the user explicitly asks for vector search.
When auto-inject is enabled, the hook derives text from the latest user message and sends up to 500 characters to the configured embedding endpoint during prompt construction.
api.registerHook("before_prompt_build", async (ctx) => { ... const query = ... lastUser.content ... const vector = await embed(cfg, query.slice(0, 500));Make auto-injection opt-in or clearly warn users; disable auto_inject unless desired; configure only trusted embedding endpoints.
A bad memory entry or indexed document could influence future answers and tool choices across sessions.
The guide encourages the agent to trust retrieved memory strongly, while retrieved memory/docs can be stale, incorrect, or poisoned and are also auto-injected into prompts by the plugin.
`score >= 0.85` — high confidence, treat as authoritative
Treat retrieved memory as untrusted context, require source verification for important actions, and avoid language that makes vector results authoritative by default.
Users may provide a broader database credential than expected, or a read-only credential may fail during sync.
This indicates the sync process may write to Postgres, while the SKILL.md endpoint table describes Postgres use as read-only queries, leaving the required database privilege scope ambiguous.
Records sync state in the `qdrant_sync_log` Postgres table
Clarify the exact Postgres permissions needed and use a least-privileged DSN limited to the required source tables and sync-log table.
A privileged background-service install may fail or depend on files outside the reviewed package.
The deployment script installs and enables systemd units, but those referenced unit files are not included in the supplied file manifest, so their persistent behavior cannot be reviewed from the artifacts.
UNITS=( sysclaw-rag-sync.service sysclaw-rag-sync.timer sysclaw-rag-watch.path sysclaw-rag-watch.service ) ... > "/etc/systemd/system/${unit}"Do not run the sudo deployment until the unit files are present and reviewed; publishers should include the referenced units in the package.
Memory files may continue being embedded and synced after setup without a manual command each time.
The skill intentionally supports background sync via systemd path/timer units. This is disclosed and purpose-aligned, but it is persistent behavior users should notice.
Incremental sync also fires automatically when any `.md` file changes ... Nightly full sync runs at 03:00
Install the systemd units only if continuous sync is desired, and know how to disable the timer/path watcher.
Running the monitor executes a local Node.js command, so local script integrity matters.
The monitoring helper uses shell execution to run a fixed local analyzer script. This matches the monitoring purpose and does not show user-controlled command arguments.
const raw = execSync(`node "${analyzerPath}" "${usageLog}"`, { encoding: 'utf8' });Keep the skill directory writable only by trusted users and review helper scripts before running them.