v1.0.1

SQ Memory

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:37 AM.

Analysis

SQ Memory is mostly aligned with its stated memory purpose, but it deserves review because it persists sensitive agent memory and the implementation can list more memory entries than the requested scope.

GuidanceReview and narrow the memory policy before installing. Use a trusted self-hosted or HTTPS endpoint, avoid storing highly sensitive personal data unless you understand the endpoint’s logs and retention, and confirm the list_memories prefix bug is fixed if you need scoped memory access.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

index.js

async list_memories(prefix) { ... const response = await this._request('GET', `/api/v2/toc?p=${encodeURIComponent(this.phext)}`); ... return lines; }

The prefix argument is expanded but not used in the request or filtered locally, so the tool can return all memory coordinates in the phext instead of only those matching the requested prefix.

User impactAn agent asking for one area of memory may see unrelated memory coordinates and may then use or recall context outside the user’s intended scope.

RecommendationEnforce prefix filtering in the API request or client code, add tests proving list_memories only returns matching entries, and document the exact listing boundary.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

QUICKSTART.md

Add to your agent's system prompt: ... When users mention preferences, remember them. When answering questions, check memory first.

This is user-directed setup guidance, but it changes the agent’s default behavior to proactively store and consult persistent memory.

User impactThe agent may remember or rely on stored information more often than a user expects unless the prompt is narrowed.

RecommendationAdd clear rules for consent, sensitive topics, conflict resolution, and when not to write or trust memory.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

skill.json

"api_key": { "description": "SQ Cloud API key (leave empty for self-hosted)", "required": false, "secret": true }

The skill can use an SQ Cloud bearer token; this is expected for hosted storage and is declared as a secret in the manifest.

User impactAnyone with the configured API key may be able to access the associated SQ memory service according to that service’s permissions.

RecommendationUse a dedicated SQ key, keep it in the declared secret field, rotate it if exposed, and avoid sharing one key across unrelated agents.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

index.js

const s = encodeURIComponent(text); await this._request('GET', `/api/v2/update?p=${encodeURIComponent(this.phext)}&c=${encoded}&s=${s}`);

The arbitrary memory text is placed directly into a URL query string when storing memories.

User impactIf the agent stores personal details or conversation history, those values may appear in endpoint, proxy, or access logs, especially if a non-local HTTP endpoint is configured.

RecommendationSend memory contents in a POST body over HTTPS for remote endpoints, document retention/logging behavior, and avoid storing sensitive data unless the endpoint is trusted.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

examples/multi-agent-coordination.js

async function sendMessage(fromAgent, toAgent, message) { ... await remember(coordinate, JSON.stringify({ from: fromAgent, to: toAgent, message: message, ... })); }

The examples show inter-agent messages and task coordination using shared memory with self-declared sender and recipient fields.

User impactIf users adopt this pattern, agents sharing the same memory space could spoof messages or write tasks unless separate authentication or namespace controls are added.

RecommendationUse separate namespaces or authenticated channels for multi-agent workflows, validate message origin, and treat shared memory as untrusted input.