Memos Cli
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: memos-cli Version: 0.1.0 The skill provides a legitimate interface for the `memos-cli` Go tool to manage Memos data. It includes explicit safety instructions for the agent, such as performing configuration checks before execution, requiring confirmation for deletions, and strictly avoiding the leakage of API keys or secrets. No malicious patterns, exfiltration attempts, or harmful prompt injections were found in the documentation or command structures.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may run code from a remote repository version that can change over time.
The skill depends on installing an external Go module at the moving `@latest` version, and no code or lockfile is included in the artifact set for review.
go install github.com/rogeecn/memos-cli@latest
Install only after checking the repository, consider pinning a specific version, and avoid running the CLI with more privileges than needed.
The CLI can access or modify Memos data using your API key, and the admin key may expose administrative user information.
The skill requires normal and optional admin Memos credentials for API access. This is expected for the integration, but it grants account-level authority.
MEMOS_API_KEY=your-api-key MEMOS_ADMIN_API_KEY=your-admin-api-key
Use the least-privileged API key that can complete the task, avoid storing secrets in committed files, and do not provide the admin key unless the task truly needs it.
Mistaken IDs or unclear instructions could modify, publish, or delete the wrong memo.
The documented CLI can change memo contents, make memos public, and delete memos. The skill does include a delete confirmation rule, so this is disclosed and purpose-aligned.
memos-cli memo update <memo-id> --visibility PUBLIC memos-cli memo delete <memo-id> --yes
Review target memo IDs and content before write operations, and require explicit user confirmation for destructive or public-visibility changes.
If run from the wrong directory, `go run .` could execute unintended local project code.
The skill mostly requires the installed binary, but one workflow shows `go run .`, which could execute local Go code and conflicts with the safer canonical-entrypoint instruction.
Use `memos-cli` as the canonical entrypoint. Do not use `go run .` in this skill. ... go run . config check go run . user list
Prefer `memos-cli` for all workflows, and only use `go run .` if you have intentionally reviewed and are in the trusted CLI source directory.