Skillv0.6.1

ClawScan security

Openclaw Memory Stack · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 8:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a local memory plugin as described, but there are several inconsistencies and supply-chain/light-exfil risks you should understand before installing.
Guidance: This package implements a full local memory stack and includes an installer that writes into ~/.openclaw and installs an OpenClaw plugin. Before installing: 1) Review and trust the download source (openclaw-api.apptah.com). The installer downloads a tarball and its checksum from that same host — this verifies integrity only if you trust the server. 2) Inspect install.sh and plugin files (they're included) or run the install in an isolated VM/container if you prefer. 3) Keep all LLM endpoints configured to localhost unless you intentionally want conversation excerpts sent to a remote LLM; enabling external endpoints or supplying API keys will send conversation content to those endpoints. 4) If you need stronger assurance, prefer a release hosted on a third-party release host (GitHub releases) or signed artifacts. 5) If you lack the ability to audit the code, treat this as higher-risk: run in a sandbox or avoid supplying cloud API keys. If you want, I can extract and summarize any specific scripts (install.sh, distill.sh, dedup.sh, etc.) line-by-line to highlight exact network calls and file writes.

Review Dimensions

Purpose & Capability: noteThe name/description (local memory, multi-engine, offline-first) generally matches the shipped code (install.sh, many local bash/python helpers, sqlite usage, qmd adapters). However the registry metadata said “No install spec — instruction-only” while the package contains an installer and a plugin bundle (install.sh, plugin/). That mismatch is unexpected: the skill is not purely instruction-only and will write files into ~/.openclaw if installed.
Instruction Scope: concernRuntime scripts perform local DB reads/writes and call local LLM endpoints (localhost:11434, localhost:8080) which is coherent. However the distillation/dedup/merge code builds prompts containing conversation/session text and POSTs them to a configurable endpoint (DISTILL_ENDPOINT/DEDUP_MERGE_ENDPOINT). Those endpoints default to localhost but are user-configurable and not all are declared in the registry's required-env list. Some helpers also probe git repos and project paths (git rev-parse), so the code may read files outside the home plugin directory when used in per-project mode. The SKILL.md claims 'neverTransmitted: Raw memory content never sent to apptah.com', which appears true for defaults, but the code will send conversation excerpts to any LLM endpoint you configure (including remote ones) — this is documented but easy to misconfigure.
Install Mechanism: concernThere is no install spec in the registry, but install.sh is included and is the installer. The upgrade flow downloads a tarball and a SHA-256 checksum from openclaw-api.apptah.com (same host). The script verifies the checksum, but both the archive and checksum are fetched from the same origin (not a third-party release host like GitHub releases or a signed artifact). That creates a moderate supply-chain risk if that host is compromised or a DNS/MITM attack occurs. The installer will extract files into ~/.openclaw and copy plugin code into OpenClaw's extensions directory — expected for this plugin but noteworthy because it modifies the agent's runtime extension path.
Credentials: concernThe registry declared no required env vars, and SKILL.md lists a small set of optional envs (OPENCLAW_LLM_API_KEY, OPENAI_API_KEY, etc.). In practice the scripts also read/write many other environment/config variables (DISTILL_ENDPOINT, DEDUP_MERGE_ENDPOINT, DEDUP_MERGE_MODEL, NOWLEDGE_URL, OPENCLAW_RELEASE_URL, OPENCLAW_INSTALL_ROOT and others) that control where conversation excerpts and merge/generation requests are sent. That means a few environment or config changes can route conversation content to remote services. The number and reach of these configurable endpoints is greater than the registry metadata indicates.
Persistence & Privilege: okThe skill does not set always:true and does not require cloud activation tokens. Installer and code write under the user's home (~/.openclaw/*) and create a plugin under OpenClaw extensions — expected for a memory provider. It does not appear to alter other skills' configs beyond installing its own plugin files. Autonomous invocation is allowed by default (normal for skills).