Claw Memory Guardian
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: claw-memory-guardian Version: 1.0.1 The skill is classified as suspicious due to its use of powerful system capabilities, specifically the creation and execution of a persistent `auto_save.sh` shell script in the user's workspace (`index.js`). While the current hardcoded content of this script is benign (creating daily memory files and updating JSON timestamps), the mechanism of writing an executable, continuously running script (via `while true; do ... sleep ...; done`) represents a significant persistence capability. This, combined with extensive file system operations (`fs-extra`) and Git version control (`simple-git`) within the user's `OPENCLAW_WORKSPACE`, creates a substantial attack surface. Although no clear malicious intent (e.g., data exfiltration, unauthorized network calls, or explicit prompt injection for harmful actions) is observed in the current code or documentation (`SKILL.md`, `README.md`), these capabilities could be exploited if other vulnerabilities were present or in future iterations, making it a high-risk component.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the background auto-save script has been started, it may keep modifying memory files or logs and consuming resources after the user thinks the skill has been removed.
The uninstaller acknowledges that the auto-save process may continue running after the program files are removed, and it provides only manual process termination rather than managed cleanup.
自动保存脚本可能仍在运行 ... 如需完全停止,请手动结束相关进程
Only start the background auto-save process if you need it. The skill should add explicit start/stop/status controls, track its process ID, and stop the worker during uninstall.
Private project details, customer notes, or mistaken instructions saved in memory may influence later OpenClaw sessions.
The skill intentionally stores and reloads session memory across tasks, which is central to its purpose but can retain sensitive or stale context.
会话开始时:自动读取今日记忆文件 ... 会话结束时:自动保存会话摘要
Review the memory directory regularly, avoid saving secrets, and delete or correct stale or untrusted memory entries.
Memory files and commit messages may become part of a repository history that the user later shares or pushes elsewhere.
Saving memory can add files and create Git commits in the OpenClaw workspace repository. This is disclosed and purpose-aligned, but it mutates the user’s local repo history.
await this.git.add('./memory/*'); await this.git.commit(`记忆保存: ${message} - ${new Date().toLocaleString('zh-CN')}`);Use this in a dedicated workspace or review Git status before pushing. Prefer making automatic commits opt-in and clearly configurable.
Installation can make local workspace changes even though the registry install spec says this is an instruction-only skill.
The package defines lifecycle scripts, so installing it through a package workflow may execute Node.js code that copies files and creates a CLI wrapper.
"scripts": { "test": "node test.js", "install": "node install.js", "uninstall": "node uninstall.js" }Inspect install.js before installation and install only from a trusted source. The registry metadata should declare the install script behavior.
Users have less provenance information for verifying that the package and future updates come from an expected maintainer.
The registry provenance fields do not identify a source or homepage, even though the package has executable install scripts and external npm dependencies.
Source: unknown; Homepage: none
Prefer a verified source repository, pinned dependencies or a lockfile, and registry metadata that matches the package’s repository and homepage.