Memos Cli
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is aligned with managing Memos through a CLI, but users should verify the external Go CLI source and use least-privilege Memos credentials.
Before installing, verify the GitHub CLI source and consider pinning a version instead of using `@latest`. Provide only the Memos credentials needed for the task, avoid committing `.env` secrets, confirm destructive or public changes, and prefer the `memos-cli` binary over the inconsistent `go run .` example.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may run code from a remote repository version that can change over time.
The skill depends on installing an external Go module at the moving `@latest` version, and no code or lockfile is included in the artifact set for review.
go install github.com/rogeecn/memos-cli@latest
Install only after checking the repository, consider pinning a specific version, and avoid running the CLI with more privileges than needed.
The CLI can access or modify Memos data using your API key, and the admin key may expose administrative user information.
The skill requires normal and optional admin Memos credentials for API access. This is expected for the integration, but it grants account-level authority.
MEMOS_API_KEY=your-api-key MEMOS_ADMIN_API_KEY=your-admin-api-key
Use the least-privileged API key that can complete the task, avoid storing secrets in committed files, and do not provide the admin key unless the task truly needs it.
Mistaken IDs or unclear instructions could modify, publish, or delete the wrong memo.
The documented CLI can change memo contents, make memos public, and delete memos. The skill does include a delete confirmation rule, so this is disclosed and purpose-aligned.
memos-cli memo update <memo-id> --visibility PUBLIC memos-cli memo delete <memo-id> --yes
Review target memo IDs and content before write operations, and require explicit user confirmation for destructive or public-visibility changes.
If run from the wrong directory, `go run .` could execute unintended local project code.
The skill mostly requires the installed binary, but one workflow shows `go run .`, which could execute local Go code and conflicts with the safer canonical-entrypoint instruction.
Use `memos-cli` as the canonical entrypoint. Do not use `go run .` in this skill. ... go run . config check go run . user list
Prefer `memos-cli` for all workflows, and only use `go run .` if you have intentionally reviewed and are in the trusted CLI source directory.