Back to skill
Skillv1.0.0
ClawScan security
Auto Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 12:34 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential align with its stated purpose (permanent storage on the Autonomys Auto Drive) and there are no signs of unrelated or covert behaviors.
- Guidance
- This skill appears to do what it says: store and retrieve immutable memories on the Autonomys Auto Drive using an API key. Before installing, consider: 1) The skill will ask for and then save your AUTO_DRIVE_API_KEY to ~/.openclaw/.env and openclaw.json — if you prefer least privilege, create a dedicated API key with limited upload quota. 2) Uploaded data is claimed to be permanent — you cannot undo uploads; avoid storing secrets. 3) The skill will create/update state files in your OpenClaw workspace and may append a Latest CID into MEMORY.md; back up any values you care about (lastCid). 4) Verify the Auto Drive domains (api/gateway/dashboard) yourself and ensure you trust that service. 5) If you want to limit risk, review the included scripts (they are small, readable bash scripts) and consider running them manually rather than granting autonomous agent invocation. Overall the package is coherent with its purpose, but treat the persisted API key and permanent uploads with caution.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, jq, file), and the single required env var (AUTO_DRIVE_API_KEY) are consistent with a tool that uploads/downloads files and manages a CID-based memory chain via the Auto Drive API.
- Instruction Scope
- noteRuntime instructions and scripts are focused on uploading/downloading CIDs and managing a local state file and MEMORY.md. The skill reads/writes ~/.openclaw/openclaw.json, ~/.openclaw/.env, a workspace memory state file, and may update WORKSPACE/MEMORY.md — this is in scope but worth noting because the skill will persist the API key and chain head locally and requires the user to provide the API key (interactive browser flow is described).
- Install Mechanism
- okInstall spec uses Homebrew formulas (curl, jq, file-formula). No arbitrary downloads or archive extraction are performed; install mechanism is standard and traceable.
- Credentials
- noteOnly AUTO_DRIVE_API_KEY is required (declared as primary). The scripts will store this key in plaintext in ~/.openclaw/.env and also write it into ~/.openclaw/openclaw.json (skills.entries.auto-memory.apiKey). This is expected for the functionality but users should be aware the key is persisted locally.
- Persistence & Privilege
- notealways:false (normal). The skill persistently writes config and state files under the user's home directory and can modify a workspace MEMORY.md file; it does not modify other skills or system-wide settings beyond its own config files.