← All tools

@modelcontextprotocol/server-memory

MCP

MCP server for enabling memory for Claude through a knowledge graph

v0.6.3 SEE LICENSE IN LICENSE Tested 8 Feb 2026
7.0

Dimension scores

Security 6.0
Reliability 7.0
Agent usability 7.0
Compatibility 9.0
Code health 7.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK May need minor schema adaptation for nested array types in create_entities and create_relations
LangChain Stateful file-based persistence may require careful handling in LangChain's execution model

Security findings

HIGH

Path traversal vulnerability in MEMORY_FILE_PATH environment variable

In ensureMemoryFilePath(), the MEMORY_FILE_PATH environment variable is used directly with path.resolve() without sanitization. An attacker could set MEMORY_FILE_PATH='../../../etc/passwd' to read/write arbitrary files. The code in index.ts accepts user-controlled paths without validation against directory traversal patterns.

HIGH

Unvalidated entity names allow file system manipulation

Entity names are used directly without validation in create_entities tool. Names could contain path traversal sequences (../) or special characters that could be exploited if entity names are later used in file operations or other contexts. No length limits or character restrictions are enforced on entity names.

MEDIUM

No input length limits on observations and entity fields

MEDIUM

Verbose error messages may leak internal state

MEDIUM

No authorization or authentication mechanism

MEDIUM

Race conditions in file operations

Reliability

Success rate

82%

Calls made

100

Avg latency

45ms

P95 latency

120ms

Failure modes

  • No validation of entity name uniqueness before operations - may create duplicate entities silently
  • Missing input validation for empty strings in entity names and observation contents
  • No bounds checking on array sizes - large entity/relation arrays could cause memory issues
  • File I/O operations lack explicit error handling for disk full, permission denied scenarios
  • Concurrent writes to memory.jsonl file are not protected - race conditions possible
  • search_nodes query parameter has no length validation - extremely long queries could hang
  • Unicode and special characters in entity names/observations not validated - may cause JSON parsing issues
  • No timeout protection on file operations - slow disk I/O could block indefinitely
  • delete operations are silent on non-existent entities - no feedback on whether deletion occurred
  • Migration from memory.json to memory.jsonl lacks atomic operation - partial migration possible on crash

Code health

License

SEE LICENSE IN LICENSE

Has tests

Yes

Has CI

No

Dependencies

5

Well-documented MCP memory server with good test coverage. Has TypeScript configuration and test files using Vitest. Published to npm registry (@modelcontextprotocol/server-memory v0.6.3). Missing CI configuration and changelog. License reference is non-standard ('SEE LICENSE IN LICENSE' instead of SPDX identifier). Test files show comprehensive unit testing including migration scenarios and edge cases. Dependencies are minimal (1 runtime, 4 dev). Has Docker support. Documentation is excellent with clear API descriptions and setup instructions. Cannot assess git activity metrics as only source directory was provided, not full repository.

View source on GitHub →