Stigmem
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly transparent about providing shared persistent memory, but its boot path can pull broad company-scoped memory into the agent context, including an apparently unfiltered escalation query.
Install only if you intend to give the agent persistent shared memory through your Stigmem node. Use a private node, a least-privilege API key, a unique source entity, and narrow scopes; review or patch the escalation filtering before using it in production.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or shared Stigmem node could influence what the agent believes or prioritizes.
The skill intentionally places retrieved external memory into agent instructions, which can influence goals. The risk is disclosed and mitigations are described, so this is a note rather than a standalone concern.
`boot()` retrieves facts from an external Stigmem node and injects them into the agent's system prompt. A compromised or misconfigured node can craft fact values that redirect agent goals.
Use a private access-controlled node, treat retrieved facts as untrusted, and avoid injecting full summaries in high-stakes workflows.
The agent may see or be influenced by unrelated company-wide escalations, and those facts may enter its working context.
The comment says this is for recent escalations for this agent, but the query shown has no target-agent, user, or project filter. It can pull company-scoped escalation facts into boot memory more broadly than the stated per-agent purpose.
escalations = self._query_all(
relation="intent:escalation",
scope="company",
min_confidence=0.8,
)
facts.extend(escalations)Filter escalations by intended recipient, user, project, and validity window before adding them to boot context; use local or narrower scopes by default where possible.
Incorrect decisions, handoffs, or escalations can continue affecting future sessions until retracted.
Persistent shared memory is the core purpose of the skill and is clearly disclosed, but users should understand that mistakes or poisoned facts can affect later agents.
Facts written by this adapter persist durably and propagate to every agent on the same node. An incorrect decision or handoff influences all future sessions until explicitly retracted.
Use separate nodes or namespaces for experiments, write only confirmed facts to shared scopes, and retract incorrect facts promptly.
An over-privileged key could allow broader memory reads or writes than intended if the agent or node is misconfigured.
The skill may use an API key with read/write access to the Stigmem node. This is expected for the integration and the documentation gives least-privilege guidance.
STIGMEM_API_KEY ... Use a least-privilege key scoped to the intended node only; rotate regularly.
Create a dedicated least-privilege key per deployment and rotate or revoke it when needed.
Future compatible dependency releases could change behavior or introduce vulnerabilities.
The dependency is declared and purpose-aligned, but it is a version range that includes alpha pre-1.0 releases rather than a pinned reviewed version.
uv | package: stigmem-py>=0.9.0a1,<1.0.0
Pin and review the exact stigmem-py version in production environments.