Skillv0.8.0

ClawScan security

Memory Pill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 8:18 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions will read from and create/modify files under ~/.openclaw/workspace (which fits its stated purpose) but the package metadata does not declare those config paths and the SKILL.md directs potentially wide filesystem changes without a clear, explicit consent/preview guarantee — this mismatch and the potential for unreviewed edits are concerning.
Guidance: This skill will read and modify files in ~/.openclaw/workspace (create directories, rewrite SOUL.md/AGENTS.md, add BRAIN.md and templates). That behavior is consistent with an 'orchestration/memory' skill, but the package metadata does not declare the workspace/config paths it uses — a transparency mismatch. Before installing or enabling: 1) Review the full SKILL.md yourself and confirm you accept the exact set of file reads/writes it describes. 2) Back up ~/.openclaw/workspace (or test in a disposable/sandbox environment). 3) If you allow it to 'fix' files, require the agent to show a diff and ask for explicit confirmation before applying writes. 4) Prefer enabling user-invocation only (do not allow autonomous runs), or restrict its use to a controlled account. 5) If you need higher assurance, ask the publisher for a manifest that explicitly declares required config paths and a non-destructive dry-run mode; if the publisher cannot provide that, treat the skill as risky for valuable or sensitive workspaces.

Review Dimensions

Purpose & Capability: concernThe skill claims to be an AI-native memory/orchestration system for OpenClaw and its runtime instructions operate on an OpenClaw workspace (~/.openclaw/workspace). That capability itself matches the described purpose. However, the registry metadata declares no required config paths or workspace access even though the SKILL.md explicitly reads, creates, and merges files in ~/.openclaw/workspace. This omission is an incoherence between what the skill says it needs and what it will do.
Instruction Scope: concernSKILL.md contains explicit shell commands (ls, cat, mkdir) and detailed merge/edit rules that will read, create, and rewrite many files (SOUL.md, AGENTS.md, BRAIN.md, projects/*/summary.md, memory/facts, HEARTBEAT.md, etc.). The flow claims to ask the user before fixing content in some cases, but it also instructs creating directory structure and templated files 'safe to run anytime.' That grants the agent broad discretion to modify persistent files — the instructions do not fully limit or require an explicit review/diff before changes.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an installer. That minimizes install-time risk.
Credentials: concernNo environment variables or credentials are requested, which is good. However, the skill accesses and changes user files under ~/.openclaw/workspace without declaring any required config paths in metadata. That mismatch is a proportionality/visibility concern: the skill implicitly needs filesystem access but does not advertise it in its manifest.
Persistence & Privilege: notealways:false (not force-included) and model invocation is allowed (default). The skill will create persistent files and directories inside the user's home workspace and may delete/update BRAIN.md lifecycle items. This is expected for a memory/orchestration tool, but because the metadata omitted the workspace paths and the instructions allow automated modifications, users should treat the skill as having the power to persistently change their environment.