Enhanced Memory System V3
WarnAudited by ClawScan on May 10, 2026.
Overview
This memory skill is purpose-aligned, but it needs review because it can run unsafe shell commands, read/write outside its memory folder, and automatically send stored memories to MiniMax using an undeclared API key.
Do not install this unless you are comfortable with persistent memories, external MiniMax processing, and the current local-file risks. If testing, disable vector search and AutoDream, avoid storing secrets, use a dedicated low-privilege MiniMax key, and wait for path containment and shell-execution fixes.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious search query or saved memory entry could run commands on the user's machine when vector search is used.
The skill constructs a shell command from the search query or memory text and executes it. Only double quotes are escaped, so crafted text containing shell-breaking characters could execute local commands.
const curlCmd = ... ${model} ... ${cleanText.replace(/"/g, '\\"')} ...; const { stdout } = await execAsync(curlCmd, { timeout: 30000 });Replace shell-based curl with fetch or spawn/execFile using fixed arguments, and disable vector search until command injection is fixed.
If invoked with a crafted path, the agent could read files outside the memory store, potentially exposing private local files.
memory_get accepts absolute paths and relative paths without checking that the resolved file remains inside memoryDir.
if (!path.isAbsolute(p)) { return path.join(baseDir, p); } return path.resolve(p); ... const content = await fs.readFile(fullPath, 'utf-8');Reject absolute paths and '..' traversal, normalize paths, and enforce that all reads remain under the configured memory directory.
A mistaken or manipulated invocation could create or overwrite files outside the intended memory directory.
memory_write uses the same unbounded path expansion and then writes to that resolved path, including overwrite mode.
if (!path.isAbsolute(p)) { return path.join(baseDir, p); } return path.resolve(p); ... await fs.writeFile(fullPath, content, 'utf-8');Constrain writes to memoryDir, block absolute/traversal paths, consider extension allowlists, and require explicit approval for overwrites.
Private user preferences, feedback, project notes, or secrets stored in memory may leave the local machine and be processed by a third-party provider.
AutoDream builds prompts from memory file contents and sends them to the MiniMax API.
recentFiles.map(f => `## ${f.relativePath}\n${f.content.slice(0, 2000)}`) ... fetch('https://api.minimaxi.com/anthropic/v1/messages', ... content: prompt)Make external consolidation opt-in, clearly disclose MiniMax data transfer, add redaction controls, and allow local-only AutoDream.
A cloud API key may be used automatically for memory consolidation, potentially consuming account quota and granting access not obvious from the registry metadata.
The code uses a MiniMax bearer token from the environment, but the registry metadata declares no required environment variables or primary credential.
const resolvedApiKey = apiKey || process.env.MINIMAX_CODING_API_KEY; ... 'Authorization': `Bearer ${apiKey}`Declare MINIMAX_CODING_API_KEY as a credential, document its scope and cost implications, and require explicit user enablement before use.
Private and team memory categories may be mixed in search results or reused in future context more broadly than the user expects.
The tool accepts a memory type parameter, but the handler does not pass it to the search function, weakening the advertised user/feedback/project/reference separation.
handler: async (params: { query: string; topK?: number; type?: string; group?: string }) => { return await memorySearch(params.query, params.topK || 5, params.group, config); }Enforce type and scope filters in code, preserve provenance for memory entries, and avoid auto-loading shared or private memories outside their intended context.
An incorrect consolidation could erase or distort memory and affect future sessions that rely on that stored context.
The skill describes automatic background consolidation that can delete and update persistent memory, but the artifacts do not show review, backup, or rollback controls.
AutoDream 自动整合系统,在空闲时整理记忆。 ... 识别过时信息并删除 ... 更新 MEMORY.md 索引
Add dry-run review, backups/versioning, and explicit confirmation before deleting or rewriting persistent memories.