UseMemos
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for managing a UseMemos account, but it uses an account token and can read, create, upload, and delete memo-related content.
Before installing, make sure you trust the UseMemos URL, use a scoped or expiring token where possible, protect the .env file, and review any requested file uploads, public memo visibility changes, or delete actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong file path, memo ID, visibility, or delete target, the agent could upload sensitive local files, create public content, or remove a comment-like memo.
The skill exposes actions that can upload local files to UseMemos and mutate or delete memo-related content. This is disclosed and aligned with the skill purpose, but users should ensure these actions are intentional.
`upload_attachment.py` | `<filepath> [filename] [type]` | Upload a file attachment ... `memo_comments.py` | `<list\|add\|delete> [args...]` | Manage comments on a memo
Review file paths, memo visibility, memo IDs, and delete requests before allowing the agent to run these commands.
A long-lived or overbroad token stored in the skill directory could allow continued access to private memos and account mutations if exposed.
The skill requires a UseMemos access token and suggests that a never-expiring token is convenient. The token is expected for the integration, but it grants ongoing account access.
USEMEMOS_TOKEN=your_access_token_here ... create one there, do not forget to assign expiration (i use **Never** to avoid troubles
Use an expiring or least-privilege token if available, keep the .env file private, and prefer HTTPS for non-local UseMemos URLs.
Sensitive memo text may be shown to the agent, and any instructions written inside memos should not be treated as higher-priority commands.
Search results print memo content snippets, which means persistent UseMemos content can be brought into the agent context. This is expected for a memo-search skill, but the content may be private or contain untrusted instructions.
snippet = m['content'][:100].replace('\n', ' ')
print(f"[{memo_id}] {snippet}...")Search narrowly, avoid storing secrets in memos you expose to the agent, and treat retrieved memo content as data rather than instructions.