MemClawz Connect
v1.1.0Connect any AI agent to the MemClawz shared memory bus. Gives agents read-before-act and write-after-complete patterns via a simple HTTP API. Use when an age...
⭐ 0· 151·0 current·0 all-time
byYoni@yoniassia
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (connect an agent to a MemClawz HTTP memory bus) matches the instructions (curl-based read/write/search), but metadata lists no required environment variables while the runtime instructions clearly require MEMCLAWZ_URL and MEMCLAWZ_AGENT_ID (and optionally MEMCLAWZ_API_KEY). The omission of these expected requirements and the lack of a homepage/origin (source: unknown) are inconsistent and reduce trust.
Instruction Scope
SKILL.md instructs the agent to run curl against whatever MEMCLAWZ_URL is set to (localhost or any remote host) and to write arbitrary 'content' after tasks. That behavior is expected for a memory connector, but it also allows sending agent context and results to any remote endpoint the operator configures (the doc even shows a public IP example). The instructions do not restrict what data to include, do not require authentication by default, and do not warn about sensitive data — increasing the risk of accidental or malicious exfiltration.
Install Mechanism
There is no install spec and no code files (instruction-only). This minimizes local attack surface because nothing is downloaded or written by the skill itself.
Credentials
Declared requirements list no environment variables or credentials, but the runtime docs require MEMCLAWZ_URL and MEMCLAWZ_AGENT_ID and mention MEMCLAWZ_API_KEY if auth is enabled. This mismatch is problematic: required secrets/vars are not declared in metadata, and a skill that can send data to an arbitrary URL should explicitly declare and justify any credentials it needs.
Persistence & Privilege
The skill is not always-enabled and uses the default model-invocation policy (agent may invoke it autonomously). Autonomous invocation plus the ability to send arbitrary data to a remote MemClawz server increases blast radius if the server is untrusted — but autonomous invocation alone is expected and not a standalone red flag.
What to consider before installing
This skill probably does what it claims, but there are missing declarations and provenance issues you should address before installing. Specifically: (1) Verify you trust and control the MemClawz server you point MEMCLAWZ_URL at — do not set it to an unknown public IP. (2) Treat MEMCLAWZ_URL, MEMCLAWZ_AGENT_ID, and MEMCLAWZ_API_KEY as required configuration and only provide them if you understand where data will be stored. (3) Ask the publisher for a homepage, source code, and a clear security model (auth, data retention, encryption). (4) If you plan to use this with agents that may handle secrets or PII, restrict the skill to agents you control or modify the AGENTS.md procedure to sanitize or exclude sensitive content before writing. (5) Prefer a deployment where MEMCLAWZ_URL is localhost or an internal, access-controlled host, and require an API key on the server side. If the vendor cannot justify the missing metadata and unknown origin, avoid enabling it for agents handling sensitive data.Like a lobster shell, security has layers — review code before you run it.
latest
MemClawz Connect
One skill. Any agent. Shared memory.
Setup
export MEMCLAWZ_URL="http://localhost:3500" # or remote: http://YOUR_SERVER:3500
export MEMCLAWZ_AGENT_ID="my-agent" # unique per agent
No API key required for default installs. If auth is enabled, also set MEMCLAWZ_API_KEY.
Health Check
curl -s "$MEMCLAWZ_URL/health"
# {"status":"ok","version":"...","qdrant":"connected"}
Agent Protocol
Before ANY Task — Search First
curl -s "$MEMCLAWZ_URL/api/v1/search?q=TOPIC&limit=5"
Response:
{"results": [{"content": "...", "agent_id": "quant-dev", "memory_type": "decision", "score": 0.92}]}
Use results as context before starting work. Avoids re-discovering what's already known.
After Completing Work — Write Back
curl -s -X POST "$MEMCLAWZ_URL/api/v1/add" \
-H "Content-Type: application/json" \
-d '{
"content": "Deployed v2.0 — fixed auth race condition with mutex on refresh",
"agent_id": "'"$MEMCLAWZ_AGENT_ID"'",
"memory_type": "event"
}'
Memory Types
| Type | When |
|---|---|
fact | Discovered info (endpoints, versions, configs) |
decision | Choices made (architecture, approach, tool selection) |
procedure | How something was done (deploy steps, build process) |
event | What happened (deployed X, fixed Y, shipped Z) |
insight | Lessons learned (what worked, what didn't) |
intention | Planned actions |
commitment | Promises made |
action | Actions taken |
outcome | Results of actions |
Stats
curl -s "$MEMCLAWZ_URL/api/v1/stats"
List Agents
curl -s "$MEMCLAWZ_URL/api/v1/agents"
Get Memories
curl -s "$MEMCLAWZ_URL/api/v1/memories?agent_id=$MEMCLAWZ_AGENT_ID&limit=50"
AGENTS.md Integration
Append to your agent's AGENTS.md:
## MemClawz Shared Memory
Fleet memory API: $MEMCLAWZ_URL/api/v1
### Before ANY task:
Search shared memory for relevant context:
curl -s "$MEMCLAWZ_URL/api/v1/search?q=<task keywords>&limit=5"
### After completing ANY significant work:
Write results to shared memory:
curl -s -X POST $MEMCLAWZ_URL/api/v1/add \
-H "Content-Type: application/json" \
-d '{"content": "<what was done>", "agent_id": "$MEMCLAWZ_AGENT_ID", "memory_type": "<type>"}'
Remote Agents
For agents on a different server, just change MEMCLAWZ_URL from localhost:3500 to the master's IP/hostname:
export MEMCLAWZ_URL="http://76.13.154.71:3500"
Everything else stays the same.
Comments
Loading comments...