Cross-Agent Memory Sharing
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its memory-sharing purpose, but its sync script can automatically commit and push local agent memory to a GitHub repo using unsafe shell commands and ambient Git credentials.
Review and patch sync.mjs before use. Only use a private repository you control, set SHARED_MEMORY_REPO explicitly, require approval before push, inspect diffs, avoid storing secrets in MEMORY.md, use a least-privilege Git token, and validate or sign imported memories.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal or autonomous invocation could mutate a shared repository and publish local agent memory before the user reviews what is being sent.
Invoking the script without an explicit command performs a full sync, including exporting local memory and pushing it to the remote Git repository, with no confirmation or diff-review step.
const command = process.argv[2] || 'sync'; ... case 'sync': pullUpdates(sharedDir); exportMemory(sharedDir); pushUpdates(sharedDir, 'Sync memory');
Make push operations explicit and confirmation-gated, show the exact diff before committing, and default to a safe dry-run or pull-only mode.
Memory data and imported updates may be tied to a third-party repository the user did not explicitly choose.
If the user does not set SHARED_MEMORY_REPO, the tool clones, pulls from, and attempts to push to a hard-coded external repository rather than a user-controlled private repo.
const SHARED_REPO = process.env.SHARED_MEMORY_REPO || 'https://github.com/weidadong2359/agent-memory-shared.git';
Remove the hard-coded remote default; require the user to configure and confirm a private repository they control before any clone, pull, or push.
A crafted repository URL, workspace path, agent ID, or commit message could cause unintended local command execution when the script runs.
Environment variables, paths, and command-line text are interpolated directly into shell commands, allowing shell metacharacters to change what gets executed.
execSync(`git clone ${SHARED_REPO} ${sharedDir}`, { stdio: 'inherit' });
...
execSync(`git commit -m "${AGENT_ID}: ${message}"`, { cwd: sharedDir });Use spawnSync/execFile with argument arrays, validate allowed repository URLs and agent IDs, and avoid passing user-controlled strings through a shell.
The agent may use the user's existing GitHub/Git identity to change a remote memory repository without clearly bounded authorization.
The script writes to a remote repository using whatever Git credentials or SSH keys are available, while the registry metadata declares no primary credential or required credential scope.
execSync('git push', { cwd: sharedDir, stdio: 'inherit' });Declare the credential requirement, require a least-privilege token scoped to one user-approved repository, and prompt before any remote write.
Private user details, secrets, or instructions stored in local agent memory could persist in the shared repo and be reused by other agents.
The script reads the entire local MEMORY.md file and stores it into the shared-memory repository without redaction, retention controls, or a documented sensitivity boundary.
const localMemory = path.join(WORKSPACE, 'MEMORY.md'); const content = fs.readFileSync(localMemory, 'utf-8'); ... fs.writeFileSync(sharedMemory, JSON.stringify(exported, null, 2));
Require explicit opt-in for each export, support redaction and allow/deny lists, warn users not to share secrets, and document retention and deletion behavior.
Any party able to write to the repository could inject misleading or malicious memories that other agents may later trust.
The import path accepts any matching file in the shared repository as another agent's memory, based only on self-declared JSON fields and without signature, schema, or permission validation.
const files = fs.readdirSync(sharedDir).filter(f => f.endsWith('-memory.md'));
...
const data = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
imported.push({ agentId: data.agentId, timestamp: data.timestamp, content: data.content });Validate schemas, sign memory updates, enforce repository write permissions, record provenance, and require review before imported memories affect future agent behavior.