agent-memory Security Report — Low Risk | ClawSafe

20 /100

agent-memory

AI agent memory infrastructure implementing Context Engineering core capabilities - selection, compression, retrieval, state tracking, and memory management with privacy controls

Legitimate AI memory infrastructure skill with no malicious behavior detected. Contains proper encryption, privacy controls, and no exfiltration capabilities. Minor documentation issues do not pose security risks.

Skill Nameagent-memory

Duration54.7s

Enginepi

✓

Safe to install

This skill is safe to use. Consider adding explicit allowed-tools declaration to SKILL.md for transparency. The example passwords in documentation are clearly marked and non-functional.

Findings 3 items

Severity	Finding	Location
Low	Example passwords in documentation The encryption_guide.md contains example passwords 'user_password_123' and 'optional_password' in code samples. These are clearly labeled as example usage and do not pose actual security risks. `password = "user_password_123"` → Consider using placeholder syntax like '<your-password>' in documentation examples to avoid confusion with hardcoded credentials.	`references/encryption_guide.md:157`
Info	Missing allowed-tools declaration SKILL.md does not declare an allowed-tools section mapping to the capability model, though filesystem:WRITE and network:READ are clearly used. `dependency: {...}` → Add explicit allowed-tools mapping for transparency: e.g., 'allowed-tools: [Read, Write, Bash]' to document tool permissions.	`SKILL.md:1`
Info	Meta-skill with always:true This skill is marked as 'always: true' and will run continuously. This is by design for memory infrastructure but increases attack surface. `always: true` → Ensure host environment has appropriate sandboxing if running untrusted skills.	`SKILL.md:2`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:storage paths ./memory_data, scripts/credential_manager.py:storage_path…
Network	`READ`	`READ`	✓ Aligned	SKILL.md:Redis connection, scripts/redis_adapter.py:Redis client
Shell	`NONE`	`NONE`	—	No subprocess calls found
Environment	`NONE`	`READ`	✓ Aligned	scripts/credential_manager.py:reads MEMORY_MASTER_KEY env var
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser access found
Database	`READ`	`READ`	✓ Aligned	SKILL.md:Redis, scripts/redis_adapter.py:RedisAdapter

2 High 2 findings

🔑

High API Key 疑似硬编码凭证

password = "user_password_123"

references/encryption_guide.md:157

🔑

High API Key 疑似硬编码凭证

password="optional_password"

references/encryption_guide.md:171

File Tree

68 files · 1.4 MB · 45450 lines

Python 50f · 36715L Markdown 17f · 8236L JSON 1f · 499L

├─ ▾ 📁 assets

│ └─ ▾ 📁 templates

│ └─ 📋 memory_schemas.json JSON 499L · 14.1 KB

├─ ▾ 📁 references

│ ├─ 📝 activation_mechanism.md Markdown 526L · 13.2 KB

│ ├─ 📝 agent_loops_advanced.md Markdown 548L · 17.4 KB

│ ├─ 📝 agent_loops_integration.md Markdown 540L · 13.7 KB

│ ├─ 📝 api_class_reference.md Markdown 478L · 29.5 KB

│ ├─ 📝 api_enums.md Markdown 903L · 18.5 KB

│ ├─ 📝 architecture_execution_model.md Markdown 410L · 14.3 KB

│ ├─ 📝 architecture_overview.md Markdown 672L · 35.7 KB

│ ├─ 📝 chain_reasoning_guide.md Markdown 604L · 20.9 KB

│ ├─ 📝 encryption_guide.md Markdown 482L · 10.9 KB

│ ├─ 📝 index_sync_guide.md Markdown 540L · 17.4 KB

│ ├─ 📝 insight_design.md Markdown 496L · 11.1 KB

│ ├─ 📝 memory_types.md Markdown 517L · 19.2 KB

│ ├─ 📝 module_index.md Markdown 138L · 5.7 KB

│ ├─ 📝 privacy_guide.md Markdown 407L · 9.8 KB

│ ├─ 📝 short_term_insight_guide.md Markdown 357L · 11.6 KB

│ └─ 📝 usage_guide.md Markdown 305L · 8.1 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 __init__.py Python 262L · 5.9 KB

│ ├─ 🐍 async_writer.py Python 462L · 13.9 KB

│ ├─ 🐍 batched_writer.py Python 297L · 8.6 KB

│ ├─ 🐍 bloom_filter.py Python 349L · 10.8 KB

│ ├─ 🐍 cache_consistency.py Python 578L · 16.3 KB

│ ├─ 🐍 cache_layer.py Python 649L · 17.8 KB

│ ├─ 🐍 causal_chain_extractor.py Python 575L · 18.2 KB

│ ├─ 🐍 chain_reasoning.py Python 837L · 26.1 KB

│ ├─ 🐍 cognitive_model_builder.py Python 824L · 29.3 KB

│ ├─ 🐍 conflict_resolver.py Python 509L · 17.8 KB

│ ├─ 🐍 context_lazy_loader.py Python 733L · 20.4 KB

│ ├─ 🐍 context_orchestrator.py Python 914L · 27.9 KB

│ ├─ 🐍 context_reconstructor.py Python 1292L · 41.9 KB

│ ├─ 🔑 credential_manager.py ⚠ Python 364L · 10.4 KB

│ ├─ 🐍 cross_session_memory_linker.py Python 569L · 16.8 KB

│ ├─ 🐍 encryption.py Python 661L · 16.3 KB

│ ├─ 🐍 fallback_manager.py Python 480L · 14.3 KB

│ ├─ 🐍 heat_manager.py Python 242L · 6.6 KB

│ ├─ 🐍 importance_scorer.py Python 547L · 17.8 KB

│ ├─ 🐍 incremental_sync.py Python 544L · 13.7 KB

│ ├─ 🐍 insight_module.py Python 1297L · 42.6 KB

│ ├─ 🐍 knowledge_gap_identifier.py Python 627L · 21.3 KB

│ ├─ 🐍 long_term.py Python 1180L · 40.5 KB

│ ├─ 🐍 memory_conflict.py Python 936L · 30.3 KB

│ ├─ 🐍 memory_forgetting_mechanism.py Python 557L · 17.5 KB

│ ├─ 🐍 memory_index.py Python 664L · 19.4 KB

│ ├─ 🐍 monitoring.py Python 606L · 15.4 KB

│ ├─ 🐍 multi_source_coordinator.py Python 676L · 22.7 KB

│ ├─ 🐍 noise_filter.py Python 556L · 16.8 KB

│ ├─ 🐍 observability_manager.py Python 1071L · 31.0 KB

│ ├─ 🐍 perception.py Python 850L · 24.1 KB

│ ├─ 🐍 permission_boundary_controller.py Python 823L · 24.6 KB

│ ├─ 🐍 prefetch_manager.py Python 580L · 17.1 KB

│ ├─ 🐍 privacy.py Python 776L · 21.8 KB

│ ├─ 🐍 progressive_compressor.py Python 583L · 18.6 KB

│ ├─ 🐍 redis_adapter.py Python 947L · 24.4 KB

│ ├─ 🐍 result_compressor.py Python 1211L · 39.6 KB

│ ├─ 🐍 retrieval_decision_engine.py Python 574L · 17.6 KB

│ ├─ 🐍 retrieval_organizer.py Python 754L · 22.8 KB

│ ├─ 🐍 retrieval_quality_evaluator.py Python 629L · 19.4 KB

│ ├─ 🐍 short_term_insight.py Python 630L · 21.7 KB

│ ├─ 🐍 short_term_redis.py Python 704L · 19.6 KB

│ ├─ 🐍 short_term.py Python 1689L · 53.2 KB

│ ├─ 🐍 smart_allocator.py Python 532L · 17.0 KB

│ ├─ 🐍 state_capture.py Python 1119L · 29.3 KB

│ ├─ 🐍 state_consistency_validator.py Python 603L · 19.4 KB

│ ├─ 🐍 state_inference_engine.py Python 604L · 19.4 KB

│ ├─ 🐍 task_progress.py Python 1024L · 30.1 KB

│ ├─ 🔑 token_budget.py ⚠ Python 645L · 18.2 KB

│ └─ 🐍 type_defs.py Python 1580L · 46.6 KB

└─ 📝 SKILL.md Markdown 313L · 10.2 KB

Dependencies 6 items

Package	Version	Source	Known Vulns	Notes
`pydantic`	`>=2.0.0`	pip	No	Version not pinned, only lower bound specified
`typing-extensions`	`>=4.0.0`	pip	No	Version not pinned
`cryptography`	`>=41.0.0`	pip	No	Version not pinned
`redis`	`>=4.5.0`	pip	No	Version not pinned
`tiktoken`	`>=0.5.0`	pip	No	Optional dependency for token counting
`mmh3`	`>=3.0.0`	pip	No	For Bloom filter implementation

Security Positives

✓ AES-256-GCM encryption with proper key management (PBKDF2-HMAC-SHA256)

✓ Master key stored with 0o600 permissions (scripts/credential_manager.py:95)

✓ No external network requests to unknown IPs - only local Redis connection

✓ Comprehensive privacy controls with consent management and sensitive data detection

✓ Permission boundary controller with regex-based PII detection and auto-redaction

✓ Audit logging for all data operations

✓ Dependency versions properly pinned in SKILL.md

✓ No subprocess execution, no shell commands, no base64/eval tricks

✓ Explicit documentation warning against hardcoding keys

✓ Uses cryptographically secure secrets.token_bytes() for key generation

Scan Report

Findings 3 items

File Tree

Dependencies 6 items

Security Positives