Memories Code is Displayed in Chat

[Vinnie-Singleton-NN]

What happened?

When asking an agent to remember a fact using the memories feature, the agent will occasionally add the function call to the chat. For example:

<function_calls>
<invoke name="memory_tool">
<parameter name="command">store</parameter>
<parameter name="memory_content">The user's favorite color is teal with a touch of magenta.</parameter>
</invoke>
</function_calls>
<function_result>
Memory stored successfully.
</function_result>

I believe this is coming from the model powering the agent and not the model powering the memories feature. In the example above Claude-Sonnet-4 was powering the agent and GPT 4.1 was powering the memories feature.

A potential solution to prevent the agent from writing code related to memories to the chat could be to modify the system prompt of the agent when memories are enabled in a similar way to how artifacts work. The difference would be instead of telling the agent what it can do with artifacts, it would be prompting to suppress it from printing anything related to the memories code.

Version Information

ghcr.io/danny-avila/librechat-dev latest d4237749a0ad 2 weeks ago 1.11GB
ghcr.io/danny-avila/librechat-rag-api-dev latest 4eb95f0ea2b0 4 weeks ago 2.97GB
ghcr.io/librechat-ai/codesandbox-client/bundler latest 4a3361844167 6 weeks ago 150MB

Steps to Reproduce

1. Create an Agent
2. Enable Memories
3. Ask the agent to remember information
4. Repeat step 3 until the model powering the agent returns code in the chat

What browsers are you seeing the problem on?

Chrome

Relevant log output

This is not a bug that generates an error.

Screenshots

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

This is an LLM hallucination. This has nothing to do with the actual memory implementation, it seems Claude is ambitious in trying to do something with memory when simply informed that memories are recorded by the system.

[onestardao]

interesting catch.

this seems like a memory-injection side effect — basically, the agent ends up exposing internal tool calls due to how the memory layer and system prompt are scaffolded. classic variant of what we call "Reasoning Escape via System Leakage" (we mapped these as No.6 and No.7 on our failure chart).

we’ve actually built a full patch layer around this — it runs separately from the model and enforces memory/tool boundaries regardless of which LLM is in use. MIT licensed.

also got a soft endorsement from the original creator of tesseract.js, if that adds any confidence 😄

anyway, just sharing since we’ve seen this bug multiple times in different agent setups. feel free to ping if curious.