pg-memory
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s memory purpose is coherent, but it can persist very sensitive conversation/tool data and its remote database guidance includes risky hard-coded and broadly exposed access patterns.
Install only if you are comfortable with an agent memory system storing full conversation and tool context. Use a PostgreSQL server you control, replace all example IPs with your own verified host, restrict network access, use strong credentials and SSL, and add retention/redaction rules before storing sensitive work.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed as written, private memory data could be copied to or exposed through a server the user did not explicitly choose or properly restrict.
The migration guide moves a full memory database dump to a hard-coded remote host and also shows opening PostgreSQL access to all source IPs, which is not clearly limited to a user-controlled database.
scp ~/pg-memory-backup/migration_*.sql admin@100.98.247.27:/tmp/ ... PG_MEMORY_HOST=100.98.247.27 ... host all all 0.0.0.0/0 md5
Replace fixed host values with placeholders, require explicit user confirmation of the destination, avoid 0.0.0.0/0 access, use SSL, and create least-privilege database users.
Secrets, private files, command outputs, or misleading context captured during one task could persist and influence later sessions.
The skill is designed to persist full conversations, internal reasoning fields, tool parameters, tool results, and complete context snapshots for later recall.
Storage: Full conversation context (exchanges, tool calls, observations) ... raw_exchanges (every message + response) ... tool_executions (all tool calls with params/results) ... assistant_thinking TEXT ... full_context_snapshot JSONB
Use an isolated database you control, add redaction/exclusion rules, set retention limits, and require user confirmation before saving sensitive exchanges or tool outputs.
One agent or machine may read or reuse memory captured by another, depending on how the shared database is configured.
Shared memory across agents is an intended feature, but the artifacts indicate that configured instances can see shared observations through the same database.
Deploy pg-memory across multiple OpenClaw instances sharing one PostgreSQL database ... Search all instances can see
Only share the database among trusted agents, separate sensitive users/projects into different databases or roles, and audit what each instance can read and write.
A future dependency or repository change could alter what gets installed compared with the reviewed artifact.
The user-directed setup path installs an unpinned Python package and can clone/pull live code from GitHub rather than using a pinned, registry-declared install artifact.
$PYTHON -m pip install psycopg2-binary --quiet ... git clone https://github.com/pottertech/pg-memory.git "$INSTALL_DIR"
Pin dependency versions and commit hashes, provide a registry install spec, and verify the source before running setup scripts.