memU: Persistent Memory for 24/7 Agents
Security checks across malware telemetry and agentic risk
Overview
The skill appears to be a legitimate persistent-memory integration, but it deserves review because it can retain and reuse sensitive conversations, documents, logs, and retrieved memories over time.
Review this skill before installing if your agent handles private conversations, documents, logs, customer data, or operational alerts. It is not showing clear malicious behavior, but you should define what may be memorized, where it is stored, how long it is retained, how it can be deleted, and whether retrieved memory may be logged or used for real-world actions.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private conversations, documents, logs, or mistaken facts could remain in memory and be reused in future answers or decisions.
The skill's memory layer can preserve raw inputs such as conversations, documents, images, and logs for long-running reuse. This is purpose-aligned, but it is high-impact because sensitive or incorrect information may persist and influence later agent behavior without clear retention or deletion guidance in the artifacts.
Resources are never discarded; they serve as the ground truth.
Only memorize data you are comfortable retaining; configure clear user/tenant scoping, retention, deletion, and redaction policies before using it with sensitive data.
Sensitive remembered information could end up in log files or monitoring systems.
The production-labeled example logs retrieved memory contents at INFO level. If copied into a real deployment, sensitive memorized facts could be exposed through application logs.
logger.info("Retrieved: [%s] %s", m.category, m.content)Avoid logging raw memory content in production; log counts, IDs, or redacted summaries instead.
The configured LLM provider may receive content that the agent memorizes or retrieves.
The skill requires an OpenAI-compatible API key so memU can use LLM and embedding APIs. This is expected for the stated purpose, and the examples read the key from the environment rather than hardcoding a real secret.
requires:
env:
- OPENAI_API_KEYUse a dedicated, least-privilege API key where possible and understand the data-handling policy of the configured LLM provider.
Installing the package runs third-party code outside the reviewed skill files.
The skill depends on the external memu-py package, whose implementation is not included in the reviewed artifacts. This is normal for an instruction-only integration skill, but users are trusting third-party package provenance.
pip install memu-py
Install from the official package source, consider pinning versions, and review the upstream memU project before production use.
If memory is wrong or outdated, an agent could make poor operational recommendations, such as suppressing alerts that should be escalated.
The example shows remembered context being used to suppress an operational alert. The demo does not actually call alerting tools, but it illustrates a deployment pattern where stale or poisoned memory could affect incident response.
Agent decision: Suppress alert (matches known backup job pattern)
For monitoring, incident response, email triage, or similar workflows, require human approval or independent checks before memory-based recommendations trigger real actions.