Slim Project Memory
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: slim-project-memory Version: 1.0.3 The skill bundle is a legitimate tool designed to optimize project documentation and reduce token usage for AI agents by restructuring large memory files into a modular 'docs/' tree. It follows security best practices by moving environment-specific metadata to a gitignored 'CLAUDE.local.md' file and explicitly instructs the agent to reference environment variable names rather than hardcoding secrets. All shell commands in SKILL.md are restricted to local file management and verification (e.g., 'mkdir', 'git mv', 'wc'), and the instructions explicitly defer all git commits and pushes to the user.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create or edit project documentation and .gitignore files in the current repository.
The skill directs local shell and file changes inside the project, including directory creation and .gitignore updates. That is expected for a project-memory restructuring skill, but it can still modify the repository working tree.
mkdir -p docs/architecture docs/features docs/pipeline docs/scripts docs/recaps docs/plans ... Add ... CLAUDE.local.md ... Verify: wc -l CLAUDE.md; git check-ignore -v CLAUDE.local.md
Use it only in the intended project root, review the resulting diff, and keep the skill’s instruction not to commit automatically.
Incorrect or overbroad environment references could steer a future agent toward the wrong staging or production target if credentials are available elsewhere.
The generated local reference file can guide future DB or hosting operations by naming environments, URLs, and env vars. The template includes approval limits, but users should verify the environment mapping carefully.
Environment quick-reference — read this BEFORE any DB or hosting operation ... Production has live customer data. Read-only by default. Any write must be explicitly authorized in the current turn.
Record only env var names and service URLs, never production secrets, and require explicit current-turn approval for any production or non-default-environment write.
Out-of-date or incorrect persistent memory could cause future sessions to use stale project context or the wrong environment information.
The skill intentionally creates persistent, auto-loaded project memory that future agent sessions will trust for environment routing and project rules.
Environment URLs and env var name references are in `CLAUDE.local.md` (gitignored, auto-loaded by Claude alongside this file). Read it before any DB or hosting operation...
Review generated CLAUDE.md and CLAUDE.local.md, keep CLAUDE.local.md gitignored, and update these files whenever environment or project facts change.