Enhanced Memory System V2
WarnAudited by ClawScan on May 10, 2026.
Overview
This memory skill has a coherent purpose, but its code can read/write outside its memory folder and builds shell commands from memory/search text, so it needs review before use.
Install only if you trust and can patch the code. Before use, disable vector search or replace the shell curl call, restrict memory_get and memory_write to the memory directory, review what gets stored in memory, and avoid storing secrets or private details until scope isolation is fixed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted search query or poisoned saved memory could run commands on the user's machine with the agent's privileges.
The search query or memory text is inserted into a shell command and only double quotes are escaped; a single quote in that text can break out of the quoted JSON and execute local shell commands.
const curlCmd = `curl -s http://localhost:11434/api/embeddings -d '{"model": "${model}", "prompt": "${cleanText.replace(/\"/g, '\\\"')}"}'`; ... await execAsync(curlCmd, { timeout: 30000 });Replace shell-based curl with a safe HTTP client or spawn argument array, JSON-encode the request body, and disable vector search until this is patched.
A tool call could read arbitrary local files accessible to the agent, not just memory files.
memory_get accepts absolute paths and relative paths that can contain '..', with no check that the resolved file stays under memoryDir.
if (!path.isAbsolute(p)) { return path.join(baseDir, p); } return path.resolve(p); ... const content = await fs.readFile(fullPath, 'utf-8');Resolve and realpath the target, reject absolute paths and '..' traversal, and require the final path to remain inside the configured memory directory.
A mistaken or hijacked tool call could overwrite local project files, configuration, or other user data within the agent's filesystem permissions.
memory_write can create or overwrite files at absolute or path-traversed locations outside the intended memory directory.
if (!path.isAbsolute(p)) { return path.join(baseDir, p); } return path.resolve(p); ... await fs.writeFile(fullPath, newContent, 'utf-8'); ... await fs.writeFile(fullPath, content, 'utf-8');Constrain writes to memoryDir, reject traversal, restrict file extensions if appropriate, and require explicit approval for overwrite mode.
Private preferences, personal details, or stale/poisoned memories could affect group interactions or be inadvertently revealed.
Group sessions load the global MEMORY.md in addition to group memory, so private or global memory can be reused in a team/group context without an explicit boundary check.
filesToLoad.push('MEMORY.md'); ... if (context.sessionType === 'group' && context.groupId) { filesToLoad.push(`memory/groups/${context.groupId}/MEMORY.md`); }Separate private and team memory stores, avoid loading private/global memory in group sessions by default, and label loaded memory as untrusted context.
Users may believe a search is limited to one memory type when it can search across all memory files in scope.
The tool advertises a memory type parameter, but the handler ignores it, so searches are not actually scoped to user/feedback/project/reference categories.
handler: async (params: { query: string; topK?: number; type?: string; group?: string }) => { return await memorySearch(params.query, params.topK || 5, params.group, config); }Implement and test type-based filtering, or remove the parameter and update the documentation to avoid overstating privacy or scope controls.