v1.1.0

Memory Lifecycle

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

The skill is mostly aligned with memory management, but it creates persistent automated agent jobs and tells the agent to preserve highly sensitive details, including credentials, in always-loaded memory.

GuidanceBefore installing, run the setup script with --dry-run, confirm the target agent and workspace, and review the cron jobs it will create. Remove or override the instruction to preserve credentials in memory; keep secrets in a vault instead, add redaction rules for sensitive personal/business data, and make sure there is a clear way to disable the scheduled jobs.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

scripts/setup.py

creates cron jobs for nightly/weekly/monthly/yearly cycles, and updates HEARTBEAT.md ... If errored: diagnose, fix, and re-run. Only alert the human if you genuinely can't fix it yourself.

The setup installs recurring autonomous maintenance and persistent heartbeat instructions, including self-remediation before human notification.

User impactAfter setup, the agent may continue modifying memory and managing its own memory jobs on a schedule without the user being present for each change.

RecommendationRun the setup with --dry-run first, review every cron job, document how to disable them, and require human approval for reruns or repairs that go beyond simple memory-file maintenance.

Tool Misuse and Exploitation

SeverityLowConfidenceMediumStatusNote

scripts/setup.py

def run_cmd(cmd, dry_run=False): ... subprocess.run(cmd, shell=True, capture_output=True, text=True)

The setup helper has a generic shell-command runner for local OpenClaw setup operations. This appears purpose-aligned, but it is still local command execution.

User impactRunning the setup script can execute local commands that change the OpenClaw cron configuration as intended.

RecommendationUse --dry-run, review the commands and target agent/workspace, and avoid passing untrusted values for setup options.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The skill has limited provenance metadata even though it includes setup scripts that alter persistent agent configuration.

User impactUsers have less publisher or project context to rely on when deciding whether to run the setup helper.

RecommendationReview the included scripts locally and prefer installing from a trusted publisher or repository when available.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/setup.py

def discover_agents(): ... subprocess.run("openclaw status --json 2>/dev/null", shell=True, capture_output=True, text=True) ... "workspace": a.get("workspaceDir", "")

The script can enumerate local OpenClaw agents and workspaces and uses an agent ID for cron setup, which requires local agent-management authority.

User impactIf run against the wrong agent or workspace, the memory lifecycle could be installed for the wrong agent.

RecommendationConfirm the intended --agent and --workspace before applying setup, especially on shared OpenClaw installations.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

SKILL.md

Every new session sees it (MEMORY.md is loaded automatically) ... Never compress: Phone numbers, addresses, credentials, family details, business structure

The skill directs the agent to keep exact sensitive details, including credentials, in persistent memory that is automatically loaded into future sessions.

User impactSecrets or private personal/business details placed in memory could persist, be exposed to future sessions or tools, and influence later agent decisions.

RecommendationDo not store credentials in MEMORY.md; add explicit secret redaction/exclusion rules and require human approval before retaining highly sensitive personal or business data.