ClawHub

agent-memory

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward local memory tool for agents, but it will save conversation-derived facts across sessions and users should verify the exact package identity.

Install this only if you want your agent to keep memory across sessions. Before enabling the AGENTS.md or HEARTBEAT.md protocol, decide what kinds of facts may be saved, avoid storing secrets, periodically review or delete the database at ~/.agent-memory/memory.db, and verify the package identity because the provided metadata is not fully consistent.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI06: Memory and Context Poisoning
Low
What this means

If sensitive, stale, or incorrect information is saved, the agent may recall it later and use it as context in future tasks.

Why it was flagged

The skill is explicitly designed to persist and later reuse conversation-derived facts, lessons, and entity information across sessions.

Skill content
On session start: ... Load recent lessons ... Recall relevant facts ... On session end: Extract durable facts from conversation ... Default: `~/.agent-memory/memory.db`
Recommendation

Use it for durable non-secret facts, review and delete memories periodically, and treat recalled memories as context rather than authoritative instructions.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Package identity confusion could make it harder to confirm that the installed skill is the same one reviewed here.

Why it was flagged

The embedded package metadata does not match the evaluated registry metadata, which lists a different owner ID and slug, while the registry source/homepage are also unknown.

Skill content
"ownerId": "kn79xt54feg7bq89ehsvcp01zn809mp1", "slug": "agent-memory"
Recommendation

Verify the exact ClawHub package, owner, and source repository before installing, especially because the skill creates persistent local memory.