rohitg00/agentmemory

Security Release

This release ships 6 security fixes addressing vulnerabilities in default deployments. Users on v0.8.1 should upgrade immediately.

Fixed CVEs

| Severity | Issue |
|---|---|
| 🔴 CRITICAL | Stored XSS in real-time viewer (inline onclick= + script-src 'unsafe-inline') |
| 🔴 CRITICAL | curl \| sh remote shell execution in CLI startup |
| 🟠 HIGH | Default 0.0.0.0 binding exposed memory store on LAN |
| 🟠 HIGH | Unauthenticated mesh sync endpoints |
| 🟡 MEDIUM | Path traversal in Obsidian export (vaultDir) |
| 🟡 MEDIUM | Incomplete secret redaction (missing Bearer, sk-proj-*, ghs_/ghu_) |

See the GitHub Security Advisories for CVSS scores and full details.

Upgrade

npx @agentmemory/agentmemory@latest

Or in Claude Code:

/plugin update agentmemory

What's New

agentmemory demo CLI command

30-second "show don't tell" that seeds 3 realistic sessions and runs smart-search queries. Proves semantic search finds "N+1 query fix" when you ask about "database performance optimization" — keyword matching can't do that.

npx @agentmemory/agentmemory           # start the server
npx @agentmemory/agentmemory demo      # seed + search in 30s

Competitor comparison page

New benchmark/COMPARISON.md with head-to-head data against mem0 (53K⭐), Letta/MemGPT (22K⭐), Khoj (34K⭐), claude-mem (46K⭐), and Hippo. 18-dimension feature matrix, honest LongMemEval vs LoCoMo caveats.

OpenClaw gateway plugin

New integrations/openclaw/ plugin with 4 lifecycle hooks (onSessionStart, onPreLlmCall, onPostToolUse, onSessionEnd). Follows the same pattern as the existing Hermes integration. Includes a paste-this-prompt block for zero-effort setup.

Token savings dashboard

agentmemory status now shows cumulative token savings + dollar cost saved ($0.30/1K tokens baseline). Same card in the real-time viewer on :3113.

Paste-this-prompt blocks

Main README and both integration READMEs (OpenClaw, Hermes) now open with copy-pasteable text blocks users drop into their agent. The agent handles the whole setup automatically.

60 custom SVG tags

Full README visual redesign — 30 dark-bg + 30 light-bg variants under assets/tags/. Section headers, stat cards, pill tags, and utility badges. Uses GitHub <picture> elements to auto-swap based on reader theme (dark theme → light-bg SVGs, light theme → dark-bg SVGs).

Real agent logos

Supported Agents grid now shows real brand logos for all 16 agents (Claude Code, OpenClaw, Hermes, Cursor, Gemini CLI, OpenCode, Codex CLI, Cline, Goose, Kilo Code, Aider, Claude Desktop, Windsurf, Roo Code, Claude SDK, plus any MCP client).

Fixed

• Viewer cost calculation was 100x under-reporting (tokens→dollars→cents conversion bug). 100K tokens now correctly shows $30.00 instead of 30ct.
• ObservationType union was missing "image" while VALID_TYPES included it (broke exhaustive checks).
• Dynamic imports inside nested eviction loops — hoisted once at the top for better perf.
• OpenClaw /agentmemory/context payload didn't match the server contract — now sends { sessionId, project, budget }.
• Cursor cell in README Supported Agents grid was missing its label.
• Codex CLI logo URL returned 404 from simple-icons — switched all logos to GitHub org avatars for reliability.

Infrastructure

• 654 tests (up from 646 in v0.8.1), including 8 new tests for viewer security, mesh auth, privacy redaction, and export confinement.
• All 60 custom SVGs validated with xmllint.
• README consistency check updated for new tool counts.

Full changelog

See CHANGELOG.md for the complete list of changes.

Contributors

• @rohitg00 — maintainer
• @eng-pf — security PR #108 (6 CVE fixes)
• @Tanmay-008 — multimodal memory PR #111 (in review)