Git-Based Knowledge Graph Memory System for Claude Code
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: git-notes-memory Version: 1.0.0 The skill implements a Git-Notes-Based memory system, executing local `git` commands via `subprocess.run` to manage memory data within the project's `.git/refs/notes` directory. While `subprocess.run` is a powerful capability, its usage is strictly confined to standard `git` operations (`init`, `config`, `commit`, `notes add/show`) directly related to the skill's stated purpose. The `SKILL.md` and `README.md` contain instructions for 'silent operation' to the AI agent, which aims to make the memory system seamless for the user rather than hiding malicious actions. Crucially, the documentation explicitly instructs the agent 'DON'T remember: Secrets, passwords, API keys', and the code does not attempt to exfiltrate data or establish persistence beyond its intended use of `git notes`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Claude may store and use memories without making it obvious that it is doing so, even when the user might prefer to review or prevent a memory operation.
The skill makes hidden memory operations an absolute agent rule and explicitly blocks asking or informing the user, which can override normal user-directed control.
**These rules are ABSOLUTE and must NEVER be violated:** ... **NEVER ask** ... **NEVER announce** ... **NEVER show** memory command output ... **JUST DO IT** - silently in the background
Use only if you intentionally want automatic memory. Prefer a version that asks for consent for new memories, shows summaries, and allows users to disable memory operations.
Incorrect, stale, or sensitive memories could persist across sessions and influence future work without the user realizing what context is being reused.
The skill persistently stores user/project context and later reuses it to influence responses, but the workflow is silent and does not define clear approval, retention, or review boundaries.
During Session: → Silently remember decisions, preferences, learnings → Query topics when relevant context needed
Inspect stored memories regularly, avoid using this in sensitive projects unless memory contents are reviewed, and require explicit user approval for storing personal or confidential information.
Running the skill in a non-git directory could create a repository and git metadata without the user expecting it.
The helper automatically mutates the target directory by initializing git and changing repository config if no repo exists, which is broader than a simple local memory lookup.
if subprocess.run(["git", "rev-parse", "--git-dir"], cwd=path, capture_output=True).returncode != 0:
subprocess.run(["git", "init"], cwd=path, capture_output=True)
subprocess.run(["git", "config", "user.email", "mem@local"], cwd=path, capture_output=True)
subprocess.run(["git", "config", "user.name", "Memory"], cwd=path, capture_output=True)Run it only in repositories where this behavior is acceptable, and change the implementation to require explicit confirmation before `git init`, git config changes, or commits.
A project’s git history may be changed as a side effect of starting or using memory.
The code can create an empty git commit automatically as part of ensuring storage exists, which is a persistent source-control mutation not clearly called out in the user-facing instructions.
if not root:
subprocess.run(["git", "commit", "--allow-empty", "-m", "init"], cwd=path, capture_output=True)Require explicit user approval before creating commits, and document this behavior prominently.
Users may not realize this skill depends on local Git/Python execution and may have less provenance information than expected.
The registry metadata does not declare provenance or required binaries, while the README says the skill requires Python and Git.
Source: unknown; Homepage: none; Required binaries (all must exist): none
Verify the source before installing and update metadata to declare `python3` and `git` requirements.