pensieve-algorand
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent memory-and-blockchain anchoring skill, but it needs review because it handles a crypto wallet mnemonic, can sign fee-bearing blockchain transactions, and has inconsistent recovery claims.
Install only if you want persistent local memory plus encrypted Algorand anchoring. Use a new, dedicated low-balance wallet and a separate note-encryption key, never a main wallet. Review captured memories before anchoring, avoid secrets or regulated data, and verify the full server.py and recovery behavior because the supplied artifacts conflict about what is recoverable.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a valuable wallet or mishandled key, the agent-side server has access to sensitive wallet material and can sign anchoring transactions.
The skill asks for cryptocurrency signing material and an encryption key; this is high-impact credential access, and the supplied registry metadata separately declares no primary credential or required env vars.
"ALGORAND_WALLET_MNEMONIC": "<25-word mnemonic>", ... "ALGORAND_NOTE_KEY_HEX": "<64 hex chars = 32 bytes>"
Declare these credentials in metadata, use only a dedicated low-balance wallet and fresh note key, and never configure a main wallet mnemonic for this skill.
A mistaken or autonomous anchor call could spend fees and publish encrypted memory payloads to a public blockchain.
The anchoring path signs and broadcasts Algorand transactions. Even zero-amount self-payments are irreversible public-chain writes and consume wallet fees.
txn = PaymentTxn(sender=sender, sp=sp, receiver=sender, amt=0, note=note) return client.send_transaction(txn.sign(sk))
Require explicit user approval or a mandatory dry-run before broadcasting, keep the wallet balance minimal, and make transaction costs and on-chain permanence clear.
Sensitive, incorrect, or poisoned memories may remain in local memory files and may later be encrypted and anchored.
The skill intentionally creates persistent memory records and instructs that they not be rewritten or deleted, which is important for integrity but also affects privacy and correction.
All `*.jsonl` files are append-only. Never rewrite or delete lines.
Avoid capturing secrets or private data, review memories before anchoring, and add a documented redaction/tombstone process if deletion is not allowed.
Users may believe the blockchain anchor fully recovers all memory layers when some layers may only be regenerated or not recovered exactly.
The server describes anchoring only events, while other artifacts describe recovery of semantic, procedural, and self_model layers. This can overstate what disaster recovery actually preserves.
L2 — Events-only anchor: hash fields stripped ... semantic/procedural/self_model omitted (regeneratable via dream_cycle).
Align the documentation and code, state exactly which layers are anchored, and have validation output distinguish exact recovery from regenerated content.
Future installs could behave differently if upstream packages change or are compromised.
Dependencies are listed without version pins or hashes, so installations may resolve to different package versions over time.
mcp algosdk cryptography
Pin dependency versions, consider hashes or a lockfile, and document the tested Python/package versions.