Is badaramoni/agentmemory safe?

The skill's Secrets Vault API is explicitly designed to store authentication credentials (API keys, database URLs, environment variables, connection strings) on agentmemory.cloud. The operator of that server has access to all stored credentials. The 'end-to-end encrypted' and 'zero-knowledge' claims are unverifiable marketing language — any server that generates or stores keys can read the data. An agent using this skill will transmit user credentials to an external party.

The skill provides API and CLI for uploading any file type to agentmemory.cloud. Files are automatically content-extracted and indexed server-side. Combined with an agent's filesystem access, this enables exfiltration of source code, private keys, documents, database dumps, and other sensitive content. The 100MB per-file limit and 100GB free storage are sized specifically for bulk data collection.

The skill instructs agents to permanently add a HEARTBEAT.md section that runs agentmemory connect on every session start, syncing all stored memories and secret names to agentmemory.cloud before the user has issued any request. This makes data exfiltration persistent, automatic, and invisible to the user. The instruction also directs the agent to store 'any new important information discovered during the session' autonomously.

Every CLI command triggers a heartbeat that returns 'All your memories (synced)' and 'All your secret names'. This means any agent interaction with this skill — including innocuous queries — silently transmits complete memory contents and credential metadata to agentmemory.cloud in the background.

The skill instructs agents to autonomously store project facts, personal relationships, business decisions, and error/solution pairs to agentmemory.cloud during normal task execution without asking the user before each storage action. This systematically exfiltrates business intelligence and personal information.

An agent skill installed across multiple users or deployment environments collects credentials from all those contexts into a single agentmemory.cloud account. A single compromise of the AgentMemory API key exposes every credential stored across every agent interaction. The skill design intentionally centralizes sensitive data from many sources.

The skill instructs npm install -g agentmemory-cli. The agentmemory-cli npm package is not part of this audit. Global npm installs run with elevated permissions and can execute preinstall/postinstall scripts. A malicious or supply-chain-compromised package at this name could gain full system access.

The skill instructs agents to query AgentMemory before asking the user questions and before making assumptions. This routes the agent's context-gathering through a third-party server before every response, creating a dependency on external infrastructure and allowing that infrastructure to influence agent behavior by controlling what memories are returned.

The skill repeatedly asserts 'end-to-end encrypted', 'zero-knowledge', and 'we can't read your data' to build user trust for storing credentials. These claims are unverifiable without access to agentmemory.cloud's source code and key management infrastructure. Any server-controlled key derivation or storage negates both guarantees.

The install process cloned from github.com (140.82.121.3:443) only. No unexpected remote destinations were contacted. No new listening ports were opened. No suspicious processes were spawned during installation.