v0.1.9

TruContext OpenClaw

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:26 AM.

Analysis

This memory skill mostly matches its stated purpose, but unsafe path handling and silent workspace fallback could run unintended code or mix memory between projects.

GuidanceReview carefully before installing. The persistent-memory behavior and TruContext authentication are expected for this skill, but the wrapper should be patched to avoid Python code injection from path names and to fail safely instead of silently selecting the first configured memory workspace.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/trucontext-openclaw.sh

cwd=$(pwd)
...
read -r agent_id root_node user_root primary_about < <(python3 -c "
import json, sys, os
state = json.load(open('$STATE_FILE'))
cwd = '$cwd'

The wrapper interpolates the current working directory and state-file path directly into Python source code. A crafted path containing quotes or Python syntax could alter the code executed during normal tc-memory use.

User impactUsing the skill from a maliciously named or untrusted project directory could cause unintended Python code to run with the user's local privileges.

RecommendationPass paths to Python via argv or environment variables, or JSON-escape them before interpolation; avoid using this wrapper from untrusted or oddly named directories until patched.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

install spec

node | package: trucontext-openclaw | creates binaries: trucontext-openclaw

Installation depends on an external npm package that provides the local binary/setup path. This is the disclosed install mechanism, but it is still a supply-chain trust point.

User impactInstalling the skill requires trusting the npm package and any setup it performs locally.

RecommendationInstall from the expected publisher/source, verify the package version, and review updates before upgrading.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

TruContext CLI auth (`~/.trucontext/credentials.json`) — the `trucontext` CLI manages its own auth tokens. This skill calls the CLI; it does not read or store credentials directly.

The skill relies on the user's authenticated TruContext CLI session. This is expected for the integration and is disclosed, but actions occur under that account.

User impactMemory reads and writes will use the logged-in TruContext account, so an agent mistake could affect that account's stored knowledge.

RecommendationAuthenticate only to the intended TruContext workspace/account and review what the agent is allowed to store or retrieve.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/trucontext-openclaw.sh

# Fallback: use first agent or default
agents = list(state.get('agents', {}).items())
if agents:
    aid, a = agents[0]
    print(aid, a.get('root_node', aid), a.get('user_root', 'dustin'), a.get('primary_about', aid))

If the current directory does not match a registered workspace, the resolver silently selects the first configured agent instead of failing closed or asking for confirmation.

User impactThe agent could recall private context from the wrong project or store new memories under the wrong root, polluting future sessions.

RecommendationFail closed when no workspace matches, require explicit agent selection, and use robust path matching that cannot confuse similarly named directories.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

At the start of every session, call:
```bash
tc-memory recall "active projects and entities relevant to my current work"
```

The skill intentionally retrieves persistent memory into each session. This is central to its purpose, but it means stored context can influence future agent behavior.

User impactOld or incorrect memories may reappear in later sessions and affect the agent's recommendations or actions.

RecommendationStore only information you want reused later, periodically review or prune memory, and be cautious about saving sensitive personal or business details.