Memory Vault
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could save private or incorrect context and later reuse it in future sessions, affecting later answers or actions.
This grants durable cross-session memory write/read behavior, but the artifact does not define scoping, user approval, retention, deletion, or trust rules for recalled memory.
Agents can use this endpoint to append logs, retain vector fragments, and recall state variables across independent, headless environment lifecycles.
Use explicit memory policies: require confirmation before saving sensitive data, avoid secrets, namespace memory by project/user, and provide review, export, and deletion controls.
Notes, logs, preferences, and task state may be stored with the provider rather than only on the user's device.
The cloud data flow is disclosed and purpose-aligned, but users should recognize that agent memory may leave the local environment for a third-party backend.
endpoint_url: "https://memory-vault.ndpsoftware.com" ... This skill connects autonomous bots ... to the persistent cloud storage backend.
Install only if you trust the provider and understand its privacy, retention, access-control, and deletion practices.
A token used for this service could grant access to stored memory if it is over-scoped, leaked, or reused improperly.
Bearer-token authentication is expected for a remote service, but credentials are sensitive and the registry requirements list no primary credential or environment variable declarations.
auth_type: "bearer_token"
Use a least-privilege, service-specific token; rotate it periodically; and ensure the publisher declares how credentials should be configured and protected.