Back to skill
Skillv1.0.0
ClawScan security
Memory Consolidate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 10:48 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions largely match a memory-consolidation purpose, but it reads agent session logs, patches gateway hooks and cron, and runs an LLM-powered semantic step that will send extracted content to an external provider — which raises data-exfiltration and persistence concerns that aren't fully addressed in the SKILL.md.
- Guidance
- This skill appears to do what it claims (consolidate memory and inject a session snapshot) but you should proceed cautiously. Before installing: (1) Review openclaw.json and confirm which LLM provider (baseUrl/apiKey) will be used — the semantic step will send snapshot content to that external service. (2) Inspect your session logs for sensitive data (API keys, tokens, passwords, private channel IDs) because the scripts read session transcripts and there is no clear automatic redaction. (3) Back up current gateway/openclaw.json and only apply the gateway config patch after you accept that MEMORY_SNAPSHOT.md will be injected into every session. (4) Consider testing in a separate/isolated workspace first and run the scripts in dry-run mode to inspect outputs before enabling the cron. If you want to be safer, remove or sanitize secrets from logs or ensure the provider endpoint is trusted and that you understand data retention/processing by that provider.
Review Dimensions
- Purpose & Capability
- okName/description match the delivered files and runtime steps: scripts parse session logs, classify facts/decisions/solutions, manage temperature lifecycle, and render MEMORY_SNAPSHOT.md. Patching the gateway to inject the snapshot and running a scheduled job are coherent with the stated purpose.
- Instruction Scope
- concernRuntime instructions ask you to patch gateway hooks (bootstrap-extra-files) and add a daily cron that runs the consolidation script. The scripts read workspace session logs (memory/*.md and structured JSONL), IDENTITY.md and USER.md, and openclaw.json provider config. That means the skill will access session transcripts and config files; the semantic pipeline will send extracted content to an external LLM provider configured in openclaw.json. There is no explicit redaction policy shown for secrets (API keys, tokens, passwords) that may appear in session logs.
- Install Mechanism
- noteNo install spec, but the skill bundle includes many Python scripts that are expected to be run in-place from the workspace. No external downloads or opaque installers are present. The lack of an explicit install step means the operator must copy/enable scripts and run commands listed in SKILL.md, which is lower-risk than remote code download but does write/modify gateway config and cron.
- Credentials
- concernThe skill declares no required env vars, but in practice it reads OPENCLAW_WORKSPACE files (session logs, IDENTITY.md, USER.md) and openclaw.json (provider baseUrl/apiKey). The semantic step uses the configured LLM provider (claude-haiku via 'tui'), so API keys present in openclaw.json will be used to make external calls. The code inspects line text for occurrences of 'token', 'apiKey', etc. and lowers their 'importance' score, but I see no clear redaction/removal of sensitive tokens before storing or sending content to the LLM — this is a potential secret-exfiltration vector.
- Persistence & Privilege
- concernThe SKILL.md instructs patching gateway configuration so MEMORY_SNAPSHOT.md is injected into every session and adding a daily cron job to run the consolidation script. These are persistent configuration changes that affect all sessions. The skill does not set always:true, but the gateway patch grants system-wide behavior change (context injection) and the cron creates regular autonomous execution — both require explicit user consent and review.