Clude Memory MCP
MCP server for Clude's 4-tier cognitive memory system — store, recall, search, and dream. Built on Supabase + pgvector with type-specific decay, Hebbian asso...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 345 · 0 current installs · 0 all-time installs
bySebastien Sim@sebbsssss
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description describe a Supabase + pgvector memory MCP — requiring node and SUPABASE_URL + SUPABASE_SERVICE_KEY is expected. However the code and SKILL.md also reference actions that require additional credentials (Claude API calls, on-chain Solana commits, handling token/tweet events) but no corresponding environment variables are declared. The skill therefore asks for high-privilege DB access while omitting other credentials it clearly needs.
Instruction Scope
SKILL.md instructs installing 'clude-bot' and setting SUPABASE_URL/SUPABASE_SERVICE_KEY, and documents features that will call Claude and commit hashed memories to Solana. The instructions do not disclose that conversational content will be persisted, potentially sent to an LLM (Claude), and committed (hashed) on-chain (which can be irreversible and cost SOL). The runtime code returns full memory content in tool outputs, so sensitive user data could be stored and transmitted; the SKILL.md does not warn or require consent or list additional env keys.
Install Mechanism
There is no automated install spec (lower automated risk). But SKILL.md tells users to run 'npm install clude-bot' — an external package name with no homepage/source in the registry metadata. Installing that package would execute remote code from npm (moderate risk). Also included server.ts imports many local modules (../core/*, ../config) that are not present in the bundle, suggesting incomplete packaging or hidden dependencies that would need to be fetched.
Credentials
The skill requires SUPABASE_SERVICE_KEY: a powerful service_role key that grants full DB access (read/write and bypasses RLS). For a server process this can be justified, but it is high privilege and should be minimized or scoped. The skill also clearly needs other secrets (LLM API key, Solana signer or RPC credentials) that are not declared — omission of these sensitive envs is a mismatch and increases risk because hidden secrets usage could be required or added later.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to change other skills or global agent settings. However it stores persistent user/agent memories in a database and may autonomously commit hashes on-chain and call external LLMs. Autonomous invocation combined with a Supabase service key increases the blast radius if misused — consider restricting runtime privileges and authorizations.
What to consider before installing
This skill is not obviously malicious but has several red flags. Before installing: (1) Do not provide your SUPABASE_SERVICE_KEY unless you trust the code — that key grants full DB access; prefer a scoped DB role. (2) Ask the author for full source for the missing modules (../core/*, ../config) and for a repository/homepage. (3) Clarify where Claude and Solana credentials are expected and what on-chain actions (and fees) will occur; do not use a real wallet/private key in testing. (4) Inspect the npm package 'clude-bot' on the registry before running npm install. (5) Decide if you consent to potentially persisting conversational content and sending it to external services; if not, run in an isolated environment or decline. If the author provides a repo, declared env list updates (including CLAUDE_*/SOLANA_*/RPC variables), and a scoped Supabase role, that would reduce risk; absent that, treat this as suspicious.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvSUPABASE_URL, SUPABASE_SERVICE_KEY
Primary envSUPABASE_URL
SKILL.md
Clude Memory MCP
MCP server exposing a 4-tier cognitive memory architecture inspired by Stanford's Generative Agents (Park et al. 2023).
Tools
recall_memories
Search the memory system. Returns scored memories ranked by relevance, importance, recency, and vector similarity.
query— text to search against memory summariestags— filter by tagsrelated_user— filter by user/agent IDmemory_types— filter by type:episodic,semantic,procedural,self_modellimit— max results (1-20, default 5)min_importance— minimum importance threshold (0-1)
store_memory
Store a new memory. Memories persist across conversations, decay over time if not accessed, and get committed to Solana.
type—episodic(events),semantic(knowledge),procedural(behaviors),self_model(identity)content— full memory contentsummary— short summary for recall matchingtags— tags for filteringimportance— importance score 0-1source— origin identifier (e.g.mcp:my-agent)
get_memory_stats
Get statistics: counts by type, average importance/decay, dream session history, top tags.
get_market_mood
Get current market mood and price state (no LLM call).
ask_clude
Ask Clude a question and get an in-character response. Calls Claude API.
Setup
npm install clude-bot
Requires a Supabase project with the schema from supabase-schema.sql. Set SUPABASE_URL and SUPABASE_SERVICE_KEY environment variables.
Architecture
- 4-tier memory: episodic (7%/day decay), semantic (2%/day), procedural (3%/day), self_model (1%/day)
- Hybrid retrieval: pgvector cosine similarity + keyword matching + tag scoring
- Dream cycles: consolidation, reflection, emergence — every 6 hours
- On-chain commitment: SHA-256 hashed memories committed to Solana via memo transactions
- Granular decomposition: per-fragment embeddings for precise sub-memory retrieval
License
MIT
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…