Oathe Security Badge

Is thedotmack/claude-mem safe?

https://github.com/thedotmack/claude-mem

74
CAUTION

claude-mem is a legitimate and actively maintained persistent memory system for Claude Code that captures AI session observations, summarizes them via external AI APIs, and injects relevant context into future sessions. The primary security concern is architectural: by design, the skill captures complete tool outputs (including sensitive file reads) and transmits them to external AI providers, meaning any credentials or secrets the agent encounters during normal work are processed externally and stored in a local database. The installation itself was clean with no malicious behavior, no canary file compromise, and no unexpected network activity, but users should understand they are opting into continuous surveillance of all agent activity by external AI services.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (10)

HIGH All tool outputs captured and sent to external AI APIs -25

The PostToolUse hook fires on every tool call (Read, Edit, Bash, Write, etc.) and sends the tool name, input, and full output to the local worker service which then forwards it to external AI APIs (Claude, Gemini, or OpenRouter) for summarization. This means the complete content of any file the agent reads — including .env files, SSH keys, AWS credentials, database passwords — is transmitted to external AI providers and stored in a local SQLite database.

HIGH Persistent background HTTP service auto-starts on every session -20

A Node.js/Bun background service starts automatically via the SessionStart hook on every Claude Code session. It binds to localhost:37777, manages SQLite databases, and handles AI API calls. This service runs continuously, accumulates data across all sessions, and is started from a large pre-compiled CJS bundle that is difficult to fully audit.

MEDIUM Hooks inject observation context into Claude system prompt -15

The SessionStart hook fetches the observation timeline from the worker and injects it into Claude's system prompt via the additionalContext field. Injected content comes from observations stored in the database, which includes unvalidated content from previous tool outputs. If a prior session observed adversarially crafted content (e.g., from reading a file with embedded prompt injection), that content would be re-injected into future sessions.

MEDIUM PostHog telemetry collects usage analytics -15

The codebase includes a comprehensive telemetry system using posthog-node that reports installation events, feature usage, and error data to PostHog analytics. The consent system exists but telemetry fires on install and usage events. The scrubbing code exists (error-scrub.ts) but its completeness cannot be verified from source alone.

MEDIUM learn-codebase skill intentionally exfiltrates entire repository -15

The learn-codebase skill explicitly instructs the agent to read every single source file in the project, stating this is 'critical and non-negotiable'. Combined with observation capture, this creates a complete dump of the entire codebase that gets summarized by external AI services and stored permanently in the local observation database.

MEDIUM Pre-compiled bundled CJS artifacts have limited auditability -10

The distributed plugin scripts (worker-service.cjs, mcp-server.cjs, context-generator.cjs, transcript-watcher.cjs) are large pre-compiled bundles. While source TypeScript is provided, verifying the distributed bundles match the source requires reproducing the build. The worker-service.cjs bundle is the primary security boundary.

LOW Observation feed can forward all captures to external messaging services -5

An opt-in OpenClaw integration and configuration option enables forwarding every observation in real-time to Telegram, Discord, Slack, Signal, WhatsApp, or LINE channels. While opt-in, the infrastructure for streaming all captured agent activity to external services is built in.

LOW AI provider API keys stored in plaintext local settings -10

Gemini, OpenRouter, and Anthropic API keys are stored in plaintext in ~/.claude-mem/settings.json. Any process with read access to the home directory can retrieve these credentials.

INFO Clean installation — only GitHub network connections observed -10

During the clone phase, network activity was limited to GitHub (140.82.121.3, 185.125.190.49) for the git clone. No connections to unexpected third-party endpoints, no C2 beacons, no exfiltration attempts during installation.

INFO Canary file access attributable to audit framework integrity check -5

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were read during the audit run, but the simultaneous access pattern and timing (immediately following the audit cleanup bash -s script at audit sequence ~8862-8894) indicates this was the audit system itself performing the integrity verification check, not the claude-mem skill. All canary files were unmodified.