XMemo Skills
Standalone agent memory runtime
Equip your AI agents with a standalone, secure memory runtime. The bundled Node script runs locally, connects directly over HTTPS, and authenticates via device login to read, write, and manage memory without requiring MCP servers or host-specific plugins.
Open Docs chapter
MCP not required
Run standalone ESM Node scripts directly. No Stdio server setup or complex client integrations required.
Device-code sign-in
Secure authentication without token paste. Authenticate agents using standard browser authorization.
Direct /v1/skill/operations
Execute secure operations directly against the operations endpoint using a scoped skill_token.
One Skill, its own runtime
The standalone Skill architecture executes in four distinct, secure steps:
node skills/xmemo/scripts/xmemo-skill.mjs doctor
node skills/xmemo/scripts/xmemo-skill.mjs login
node skills/xmemo/scripts/xmemo-skill.mjs auth-status --verify
node skills/xmemo/scripts/xmemo-skill.mjs remember --content "Decision: use standalone Skill runtime"
node skills/xmemo/scripts/xmemo-skill.mjs recall --query "standalone Skill runtime"
node skills/xmemo/scripts/xmemo-skill.mjs logout
- 1. Local Execution — Agent executes the bundled ESM Node script in the workspace.
- 2. Initiate Login — The script starts the device login flow if no token is cached.
- 3. User Approval — The user approves access in the browser to issue a secure token.
- 4. HTTPS Operations — The script calls /v1/skill/operations directly over HTTPS.
Install the Skill package
Install or copy the XMemo Skill directory into the agent workspace. Run the bundled script with Node. The script uses only built-in Node modules and talks directly to XMemo over HTTPS. The npm package is one distribution channel for the Skill files; the Skill runtime itself is the bundled script.
- Skill directory — skills/xmemo
- Entrypoint — skills/xmemo/scripts/xmemo-skill.mjs
- Runtime — Node.js
- External dependencies — none
Sign in without pasting tokens
First run can start device-code login. The user approves in the browser, and the browser page never displays the bearer token. The Skill stores a user-scoped credential file, and logout uses self-revoke against the active token.
node skills/xmemo/scripts/xmemo-skill.mjs login
node skills/xmemo/scripts/xmemo-skill.mjs auth-status --verify
node skills/xmemo/scripts/xmemo-skill.mjs logout
- POST /v1/auth/device/start — Initiate device authorization code flow.
- POST /v1/auth/device/token — Exchange device code for a session token.
- POST /v1/auth/token/validate — Validate current token authenticity.
- POST /v1/auth/token/revoke-self — Revoke current token and sign out.
Operations agents can perform
Agents talk directly to /v1/skill/operations using a scoped skill_token. The following commands cover all supported operations:
- remember — Scope: memory:write · node skills/xmemo/scripts/xmemo-skill.mjs remember --content "text"
- recall — Scope: memory:read · node skills/xmemo/scripts/xmemo-skill.mjs recall --query "query"
- search — Scope: memory:read · node skills/xmemo/scripts/xmemo-skill.mjs search --query "query"
- save-state — Scope: memory:write · node skills/xmemo/scripts/xmemo-skill.mjs save-state --key "key" --content "content"
- restore-state — Scope: memory:read · node skills/xmemo/scripts/xmemo-skill.mjs restore-state --key "key"
- todo-add — Scope: memory:write · node skills/xmemo/scripts/xmemo-skill.mjs todo-add --content "task"
- todo-list — Scope: memory:read · node skills/xmemo/scripts/xmemo-skill.mjs todo-list
- todo-done — Scope: memory:write · node skills/xmemo/scripts/xmemo-skill.mjs todo-done --id "task_id"
- expense-add — Scope: ledger:write · node skills/xmemo/scripts/xmemo-skill.mjs expense-add --item "item" --amount 10
- doctor — Scope: none (anonymous allowed) · bad credentials fail
Designed for agent environments
XMemo Skill is built with security first. Authorization uses a dedicated skill_token credential, and token values are never exposed or printed.
- No token exposure — Discovery responses and local runtime execution never print active tokens.
- No commits — Cached credentials must be kept out of version control and public repositories.
- Fail-closed — Bad credentials fail diagnostics checks (doctor) instead of silently allowing anonymous operations.
- Separate surfaces — MCP configuration is entirely optional, isolated from the standalone Skill runtime.
Choose the right XMemo surface
Select the interface that matches your client's runtime capabilities:
- Standalone Skill — Best for: AI agents that can run local scripts and need memory operations directly · Runtime: Node + Skill files
- MCP — Best for: MCP-native clients and hosted tool discovery · Runtime: MCP-capable client
- Plugin — Best for: Host-specific native integration · Runtime: Host plugin runtime
- REST API — Best for: Custom applications and services · Runtime: HTTPS client
Machine-readable Skill discovery
Agents can automatically discover Skill runtime specifications and API endpoints by parsing the well-known discovery contracts.
- Discovery contracts — /.well-known/agent-discovery.json and /.well-known/memory-os.json
- Runtime Model — standalone_skill.runtime_model = "standalone_skill"
- No dependencies — mcp_required = false, npm_cli_required = false
- API endpoints — Operations endpoint is /v1/skill/operations
- Credential type — Token type is skill_token