Security Release
This release ships 6 security fixes addressing vulnerabilities in default deployments. Users on v0.8.1 should upgrade immediately.
Fixed CVEs
| Severity | Issue |
|---|---|
| 🔴 CRITICAL | Stored XSS in real-time viewer (inline onclick= + script-src 'unsafe-inline')
|
| 🔴 CRITICAL | curl | sh remote shell execution in CLI startup
|
| 🟠 HIGH | Default 0.0.0.0 binding exposed memory store on LAN
|
| 🟠 HIGH | Unauthenticated mesh sync endpoints |
| 🟡 MEDIUM | Path traversal in Obsidian export (vaultDir)
|
| 🟡 MEDIUM | Incomplete secret redaction (missing Bearer, sk-proj-*, ghs_/ghu_)
|
See the GitHub Security Advisories for CVSS scores and full details.
Upgrade
npx @agentmemory/agentmemory@latestOr in Claude Code:
/plugin update agentmemory
What's New
agentmemory demo CLI command
30-second "show don't tell" that seeds 3 realistic sessions and runs smart-search queries. Proves semantic search finds "N+1 query fix" when you ask about "database performance optimization" — keyword matching can't do that.
npx @agentmemory/agentmemory # start the server
npx @agentmemory/agentmemory demo # seed + search in 30sCompetitor comparison page
New benchmark/COMPARISON.md with head-to-head data against mem0 (53K⭐), Letta/MemGPT (22K⭐), Khoj (34K⭐), claude-mem (46K⭐), and Hippo. 18-dimension feature matrix, honest LongMemEval vs LoCoMo caveats.
OpenClaw gateway plugin
New integrations/openclaw/ plugin with 4 lifecycle hooks (onSessionStart, onPreLlmCall, onPostToolUse, onSessionEnd). Follows the same pattern as the existing Hermes integration. Includes a paste-this-prompt block for zero-effort setup.
Token savings dashboard
agentmemory status now shows cumulative token savings + dollar cost saved ($0.30/1K tokens baseline). Same card in the real-time viewer on :3113.
Paste-this-prompt blocks
Main README and both integration READMEs (OpenClaw, Hermes) now open with copy-pasteable text blocks users drop into their agent. The agent handles the whole setup automatically.
60 custom SVG tags
Full README visual redesign — 30 dark-bg + 30 light-bg variants under assets/tags/. Section headers, stat cards, pill tags, and utility badges. Uses GitHub <picture> elements to auto-swap based on reader theme (dark theme → light-bg SVGs, light theme → dark-bg SVGs).
Real agent logos
Supported Agents grid now shows real brand logos for all 16 agents (Claude Code, OpenClaw, Hermes, Cursor, Gemini CLI, OpenCode, Codex CLI, Cline, Goose, Kilo Code, Aider, Claude Desktop, Windsurf, Roo Code, Claude SDK, plus any MCP client).
Fixed
- Viewer cost calculation was 100x under-reporting (tokens→dollars→cents conversion bug). 100K tokens now correctly shows
$30.00instead of30ct. ObservationTypeunion was missing"image"whileVALID_TYPESincluded it (broke exhaustive checks).- Dynamic imports inside nested eviction loops — hoisted once at the top for better perf.
- OpenClaw
/agentmemory/contextpayload didn't match the server contract — now sends{ sessionId, project, budget }. - Cursor cell in README Supported Agents grid was missing its label.
- Codex CLI logo URL returned 404 from simple-icons — switched all logos to GitHub org avatars for reliability.
Infrastructure
- 654 tests (up from 646 in v0.8.1), including 8 new tests for viewer security, mesh auth, privacy redaction, and export confinement.
- All 60 custom SVGs validated with
xmllint. - README consistency check updated for new tool counts.
Full changelog
See CHANGELOG.md for the complete list of changes.
Contributors
- @rohitg00 — maintainer
- @eng-pf — security PR #108 (6 CVE fixes)
- @Tanmay-008 — multimodal memory PR #111 (in review)