Tinmem Memory System
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is clearly meant for memory, but it automatically stores and reuses personal information across sessions without clear limits, consent, or retention controls.
This appears to be a legitimate memory skill, but it should be reviewed carefully because it stores user-related information persistently and automatically reuses it. Use it only if you are comfortable with cross-session memory, and verify that you can inspect, correct, delete, and limit what it remembers.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal or sensitive details shared in one conversation could be saved and later used in other conversations, including if the saved memory is outdated, incorrect, or contains harmful instructions.
The skill documents automatic cross-session storage and reuse of memory, but does not specify consent, exclusions, retention, review, or safeguards against bad or sensitive memories influencing future responses.
Memories are automatically injected into context before each response via `<agent-experience>` tags - New memories are automatically extracted after each conversation turn - All memories persist across sessions in a local LanceDB database
Install only if you want automatic persistent memory; before use, look for controls to review, edit, delete, disable, or limit what is stored and when memories are injected.
The assistant may retain sensitive personal attributes longer or more broadly than the user expects.
The memory categories explicitly include identity and demographic information, and the artifact does not describe restrictions for sensitive personal data or user approval before saving it.
`profile` | User identity, role, expertise, demographics | Always merge
Avoid sharing sensitive personal information unless the memory system provides visible consent, deletion, and exclusion controls.