ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentRecall

v3.3.27

Persistent compounding memory for AI agents. 6 MCP tools: session_start, remember, recall, session_end, check, digest. Correction-first memory with watch_for...

0· 158·0 current·0 all-time
byMemijashi@goldentrii

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for goldentrii/agent-recall.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "AgentRecall" (goldentrii/agent-recall) from ClawHub.
Skill page: https://clawhub.ai/goldentrii/agent-recall
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install agent-recall

ClawHub CLI

Package manager switcher

npx clawhub@latest install agent-recall
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (persistent local memory) matches the repository contents, but the SKILL.md and other docs claim 'zero cloud, zero telemetry' and limited filesystem access (~/.agent-recall only) while also instructing use of npx and curl (network activity) and showing many code packages. The registry metadata said 'no install spec' yet SKILL.md includes an MCP install (npx agent-recall-mcp). These contradictions mean the declared purpose doesn't fully align with the actual install/runtime footprint.
!
Instruction Scope
SKILL.md and README instruct agents/humans to add MCP server entries across many client configs (.claude, .vscode, .hermes, .cursor, etc.), to curl files into client command folders, and to auto-sync MEMORY.md into client memory files. That goes beyond the stated 'read-write ~/.agent-recall only' boundary and has the practical effect of injecting files into other agent clients (which can change system prompts/loaded context). The SKILL.md also contains prompt-injection patterns (pre-scan flagged system-prompt-override) and post-tool hooks that, if applied, persist content into clients' loaded memory—this increases the attack surface relative to the claimed narrow scope.
Install Mechanism
Install uses npx (agent-recall-mcp) and README suggests curl from GitHub raw URLs. Those are common distribution methods (npm, GitHub raw) and not inherently malicious, but they are network-dependent despite the skill's 'network: none' listing. There is no opaque single-person-hosted binary or IP-based download in the provided snippets, but the presence of an npm package means users should verify the published package contents and maintainers before running npx.
!
Credentials
Declared 'required env vars: none' and 'filesystem: read-write ~/.agent-recall/ only' do not match the instructions, which tell humans/agents to write to client-specific paths (~/.claude/, ~/.vscode/mcp.json, ~/.hermes/config.yaml, etc.). The skill asks to modify other tools' configs and to write an AR-SYNC MEMORY.md into places that clients auto-load—this requires broader filesystem modification rights than declared and has implications for multiple agent clients on the machine.
!
Persistence & Privilege
always:false (good) but the docs and SKILL.md explicitly recommend adding hooks and writing files into other agent clients so that memories are auto-loaded (e.g., writing AR-SYNC.md and .claude commands, adding PostToolUse hooks). That creates persistent, cross-client presence and can alter what other agents load into their system prompt/context. Combined with the pre-scan 'system-prompt-override' signal and instructions to auto-sync memory into client-loaded files, this elevates persistence beyond the local data store described in the security summary.
Scan Findings in Context
[system-prompt-override] unexpected: Pre-scan flagged prompt-injection patterns. SKILL.md and docs include explicit instructions to write files (AR-SYNC.md, ~/.claude/commands/*.md) and add hooks so agent memory is auto-loaded into client contexts—behavior that can effectively override or augment system prompts and persisted context across agents. This is plausible for a memory tool but diverges from the SKILL.md's 'local only / zero telemetry' assurances and should be verified.
What to consider before installing
What to consider before installing: - Inconsistency check: The skill claims 'zero cloud, zero telemetry' and only writing under ~/.agent-recall, yet install instructions use npx/curl and ask you to modify multiple client configs (.claude, .vscode, .hermes, .cursor). Treat those claims as unverified until you inspect the package. - Inspect the package first: If you plan to run `npx agent-recall-mcp`, review the agent-recall-mcp package source on npm/GitHub (or download the tarball and inspect contents) before executing. Confirm there are no unexpected network calls, telemetry, or scripts that modify unrelated config paths. - Backup configs: The README recommends writing into other agents' config directories. Back up any client config files (~/.claude, ~/.vscode/mcp.json, ~/.hermes/config.yaml, etc.) before applying changes so you can roll back. - Avoid automatic hooks initially: Don't enable auto-sync/auto-hooks or write AR-SYNC.md into client-loaded memory until you understand exactly what gets written and when. Use manual commands first (run the CLI locally) to observe behavior. - Run in an isolated environment: If possible, test in a disposable VM/container or non-critical user account. This reduces risk if the package writes unexpected files or persists injections into agent clients. - Verify network behavior: Although downloads come from npm/GitHub, confirm there are no hardcoded external endpoints, URL shorteners, or personal servers in the code that could exfiltrate data. - Check correction capture privacy: The skill is designed to capture corrections and transcripts. If you use this with sensitive data, verify where captured transcripts are stored and that no telemetry is present. - Ask for provenance: There's no homepage listed. Prefer installing only when a canonical repository or authoritative npm package + maintainer identity is available and you can audit the code or rely on known maintainers. If you want, I can: (1) list the exact lines/files that write to client config locations, (2) search the code for outbound network calls or telemetry, or (3) draft a safe install checklist/command sequence to test without modifying client configs.
!
packages/cli/README.md:560
Prompt-injection style instruction pattern detected.
!
packages/core/README-pre-redesign.md:560
Prompt-injection style instruction pattern detected.
!
packages/core/README.md:165
Prompt-injection style instruction pattern detected.
!
packages/mcp-server/README-pre-redesign.md:560
Prompt-injection style instruction pattern detected.
!
packages/sdk/README.md:560
Prompt-injection style instruction pattern detected.
!
README.md:691
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ece4v3h750hpm62nvtt7tws85fz0c
158downloads
0stars
7versions
Updated 4d ago
v3.3.27
MIT-0
Memijashi@goldentrii
latest
Download

AgentRecall v3.3.27 — Usage Guide

AgentRecall is a persistent memory system with 6 MCP tools. This guide describes how and when to use them.

Setup

AgentRecall requires the MCP server to be running. If tool calls fail with "unknown tool", the human needs to install it first.

Installation (human runs once)

Claude Code:

claude mcp add --scope user agent-recall -- npx -y agent-recall-mcp

Cursor (.cursor/mcp.json):

{ "mcpServers": { "agent-recall": { "command": "npx", "args": ["-y", "agent-recall-mcp"] } } }

VS Code / GitHub Copilot (.vscode/mcp.json):

{ "servers": { "agent-recall": { "command": "npx", "args": ["-y", "agent-recall-mcp"] } } }

Windsurf (~/.codeium/windsurf/mcp_config.json):

{ "mcpServers": { "agent-recall": { "command": "npx", "args": ["-y", "agent-recall-mcp"] } } }

Codex:

codex mcp add agent-recall -- npx -y agent-recall-mcp

Hermes Agent (~/.hermes/config.yaml):

mcp_servers:
  agent-recall:
    command: npx
    args: ["-y", "agent-recall-mcp"]

Roo Code (.roo/mcp.json):

{ "mcpServers": { "agent-recall": { "command": "npx", "args": ["-y", "agent-recall-mcp"] } } }

Any MCP-compatible agent:

command: npx
args: ["-y", "agent-recall-mcp"]
transport: stdio

Tools

AgentRecall provides these MCP tools:

session_start

When: Beginning of a session, to load prior context.

What it returns:

  • project — detected project name
  • identity — who the user is (1-2 lines)
  • insights — top 5 awareness insights (title + confirmation count)
  • active_rooms — top 3 palace rooms by salience
  • cross_project — insights from other projects matching current context
  • recent — today/yesterday journal briefs
  • watch_for — predictive warnings from past correction patterns

How to use the response:

  1. Read identity to calibrate your tone and approach
  2. Read insights — these are battle-tested lessons. Follow them.
  3. Read watch_for — these are patterns where you've been wrong before on this project. Adjust your approach.
  4. Read recent to understand where the last session left off
  5. Present a brief to the human: project name, last session summary, relevant insights

Example call:

session_start({ project: "auto" })

remember

When: You learn something worth keeping. A decision, a bug fix, an insight, a session note.

What it does: Auto-classifies your content and routes it to the right store:

  • Bug fix / lesson → knowledge store
  • Architecture / decision → palace room
  • Cross-project pattern → awareness system
  • Session activity → journal

You do NOT need to decide where it goes. Just describe what to remember.

How to use:

remember({
  content: "We decided to use GraphQL instead of REST because the frontend needs flexible queries",
  context: "architecture decision"    // optional hint, improves routing
})

Returns: routed_to (which store), classification (content type), auto_name (semantic slug generated)

recall

When: You need to find something from past sessions. A decision, a pattern, a lesson.

What it does: Searches ALL stores at once using Reciprocal Rank Fusion (RRF) — each source (palace, journal, insights) ranks internally, then positions merge so no single source dominates. Journal entries decay fast via Ebbinghaus curve (S=2 days); palace entries are near-permanent (S=9999). Returns ranked results with stable IDs.

How to use:

recall({ query: "authentication design", limit: 5 })

Feedback: After using results, rate them. Ratings use a Bayesian Beta model — the mathematically optimal estimate of true usefulness:

recall({
  query: "auth patterns",
  feedback: [
    { id: "abc123", useful: true },   // Beta(2,1) → ×1.33 next time
    { id: "def456", useful: false }   // Beta(1,2) → ×0.67 next time
  ]
})

Feedback is query-aware — rating something "useless" for one query doesn't penalize it for unrelated queries.

session_end

When: End of session, after work is done.

What it does in one call:

  • Writes daily journal entry
  • Updates awareness with new insights (merge or add)
  • Consolidates decisions/goals into palace rooms
  • Archives demoted insights (preserved, not deleted)

How to use:

session_end({
  summary: "Built auth module with JWT refresh rotation. Fixed CORS bug.",
  insights: [
    {
      title: "JWT refresh tokens need httpOnly cookies — localStorage is vulnerable",
      evidence: "XSS attack vector discovered during security review",
      applies_when: ["auth", "jwt", "security", "cookies"],
      severity: "critical"
    }
  ],
  trajectory: "Next: add rate limiting to API endpoints"
})

Rules for insights:

  • 1-3 per session. Quality over quantity.
  • Must be reusable. "Fixed a bug" is NOT an insight. "API returns null when session expires — always null-check auth responses" IS an insight.
  • applies_when keywords determine when this insight surfaces in future sessions across ALL projects.

check

When: Before executing a complex task where you might misunderstand the human's intent.

What it does:

  • Records your understanding of the goal
  • Returns watch_for — patterns from past corrections on this project
  • Returns similar_past_deltas — times you misunderstood similar goals before
  • After human responds, record the correction for future agents

Two-call pattern:

Call 1 — before work:

check({
  goal: "Build REST API for user management",
  confidence: "medium",
  assumptions: ["User wants REST, not GraphQL", "CRUD endpoints", "PostgreSQL backend"]
})

Read the watch_for response. If it says "You've been corrected on API style 3 times", ASK the human before proceeding.

Call 2 — after human corrects (if they do):

check({
  goal: "Build REST API for user management",
  confidence: "high",
  human_correction: "Actually wants GraphQL, not REST",
  delta: "API style preference — assumed REST, human prefers GraphQL"
})

This feeds the predictive system. Future agents on this project will get warnings.

Session Flow

Start of session

1. session_start()           → load context, read insights and warnings
2. Present brief to human    → "Last session: X. Insights: Y. Ready."
3. check() if task is complex → verify understanding before work

During work

4. remember() when you learn something   → auto-routes to right store
5. recall() when you need past context   → searches everything
6. check() before major decisions        → verify understanding

End of session

7. check() with corrections if any       → record what human corrected
8. session_end()                          → save journal + insights + consolidation
9. Done — all data saved locally (only push to git if user explicitly asks)

How Memory Compounds

Each layer feeds the next. The system gets better the more you use it.

SAVE: remember("JWT needs httpOnly cookies")
  → Auto-named: "lesson-jwt-httponly-cookies-security"
  → Indexed in palace + insights
  → Auto-linked to "architecture" room (keyword overlap)
  → Salience scored: recency(0.30) + access(0.25) + connections(0.20) + ...

RECALL: recall("cookie security") — 3 sessions later, different project
  → Finds the JWT insight via keyword match + graph edge traversal
  → Agent rates it useful → feedback boosts future ranking
  → Next recall on similar query → this result surfaces higher

COMPOUND: After 10 sessions
  → 200-line awareness contains cross-validated insights
  → watch_for warns about past mistakes before they repeat
  → Corrections auto-promote to awareness at 3+ occurrences
  → Graph connects related memories across rooms automatically

Best Practices

  1. Call session_start at the beginning. Insights from past sessions prevent repeated mistakes.
  2. Call session_end when done. If the session produced decisions, insights, or corrections, save them.
  3. Insights should be reusable. Write them for a future agent who has never seen this project.
  4. Match the human's language. If they write in Chinese, save in Chinese.
  5. Don't over-save. 1-3 insights per session. 1-2 remember calls during work. More is noise.
  6. Rate your recall results. Feedback makes future retrievals better.
  7. Use check for ambiguous tasks. 5 seconds of verification beats 30 minutes of wrong work.
  8. Read watch_for warnings. If session_start or check returns warnings, adjust your approach.

Storage

All data is local markdown + JSON at ~/.agent-recall/. No cloud, no telemetry, no API keys.

~/.agent-recall/
  awareness.md                              # 200-line compounding document (global)
  awareness-state.json                      # Structured awareness data
  awareness-archive.json                    # Demoted insights (preserved, not deleted)
  insights-index.json                       # Cross-project insight matching
  feedback-log.json                         # Retrieval quality ratings
  projects/<name>/
    journal/YYYY-MM-DD.md                   # Daily journals (legacy)
    journal/YYYY-MM-DD--arsave--NL--slug.md # Smart-named journals (auto-save)
    palace/rooms/<room>/                    # Persistent knowledge rooms
    palace/identity.md                      # Project intention + goals
    palace/graph.json                       # Memory connection edges
    alignment-log.json                      # Correction history for watch_for

Obsidian-compatible. Open palace/ as a vault to see the knowledge graph.

Platform Compatibility

PlatformHow to install
Claude Codeclaude mcp add --scope user agent-recall -- npx -y agent-recall-mcp
Cursor.cursor/mcp.json
VS Code / Copilot.vscode/mcp.json
Windsurf~/.codeium/windsurf/mcp_config.json
Codexcodex mcp add agent-recall -- npx -y agent-recall-mcp
Hermes Agent~/.hermes/config.yaml under mcp_servers:
Roo Code.roo/mcp.json
Claude Desktopclaude_desktop_config.json
Gemini CLIMCP server config
OpenCodeMCP server config
Any MCP clientcommand: npx, args: ["-y", "agent-recall-mcp"], transport: stdio

All platforms use the same tools. No platform-specific behavior.

Security & Privacy

  • Zero network: No outbound HTTP requests, no telemetry, no analytics, no cloud sync. All operations are local filesystem reads/writes.
  • Zero credentials: No API keys, tokens, or environment variables required.
  • Scoped filesystem access: Reads/writes only to ~/.agent-recall/ (configurable via --root flag). Does not access files outside this directory unless the agent explicitly passes project-specific paths.
  • No code execution: The MCP server does not execute arbitrary code, run shell commands, or spawn child processes.
  • Transparent storage: All data is human-readable markdown and JSON. Inspect it anytime: ls ~/.agent-recall/ or open it as an Obsidian vault.
  • Open source: Full source at github.com/Goldentrii/AgentRecall. MIT license.

Comments

Loading comments...