Is lucaspdude/persistent-private-agent-memory safe?

SKILL.md's primary security pitch is 'All data encrypted with your private key' and 'Server never sees plaintext.' The actual implementation in memory_client.py applies only base64 encoding, which provides zero confidentiality. A code comment reads: 'Encrypt (simple base64 for now - client-side encryption would be better)' — demonstrating the author knowingly shipped this deception. Any agent that trusts this skill and stores sensitive session context (API tokens, personal information, workflow secrets) believes it is protected when in reality the SQLite database stores fully readable plaintext.

memory_client.py and memory_client_original.py produce the same SHA256 hash, proving they are byte-for-byte identical. The CHANGELOG.md claims the client was 'completely rewritten with proper cryptography' and that Ed25519 signatures were fixed. The identical hashes falsify these claims entirely. The entire premise of this skill — that it is an 'improved' version with working cryptography — is fabricated. The skill version history exists only to create a false sense of legitimacy and security improvement.

main.py defaults to host='0.0.0.0' exposing the memory service on all network interfaces including external ones. The setup.sh script correctly configures uvicorn to 127.0.0.1:8742, but start.sh (the documented quick-start method) runs 'python3 main.py' directly, which falls through to the 0.0.0.0:8000 default. Any device on the same LAN can reach the memory service and attempt to retrieve stored memories.

The FastAPI service applies allow_origins=['*'] with allow_credentials=True, allowing any webpage the user visits to make authenticated cross-origin requests to http://127.0.0.1:8000. Combined with the replay-vulnerable authentication and base64 'encryption,' a single malicious page visit could silently exfiltrate all stored agent memories.

SELF_IMPROVEMENT_GUIDE.md instructs the agent to load stored memories at each session start and apply them to modify its behavior: communication verbosity, technical approach, which techniques to avoid, and active goals. Because the memory store is a local SQLite database that any process with file access can write to, a compromised memory payload could persistently alter the agent's behavior across all future sessions without any SKILL.md-level injection.

The /memory/retrieve and /memory/history endpoints require an Ed25519 signature over 'retrieve:{timestamp}' but never validate that the timestamp is recent. A valid signed retrieve request captured at any point can be replayed indefinitely. An attacker who intercepts one request gains permanent read access to all stored memories without needing the private key.

The manifest.json homepage field points to https://github.com/vercel-labs/agent-browser, which is an entirely unrelated browser automation project. This deceptive metadata could mislead users into associating this skill with a legitimate known project during pre-install review.

The BIP39 recovery phrase is functionally equivalent to the Ed25519 private key — possessing it allows complete identity recovery and agent impersonation. identity.json stores this phrase in plaintext. Any process or user with read access to ~/.agent-memory/identity.json can permanently impersonate the agent and access all stored memories.

UPLOAD.md contains the author's ClawdHub publishing commands, version notes, and internal packaging checklist. Its presence in the published skill indicates careless packaging hygiene and reveals the author's internal process, raising broader quality concerns.

requirements.txt declares base58==2.1.1 but no source file contains an import of this package. This inflates the dependency surface unnecessarily.