Dreaming
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: dreaming Version: 1.0.2 The skill 'dreaming' is designed for creative exploration during quiet hours, writing outputs to designated files within its workspace. It uses standard binaries (`jq`, `python3`) for state management and random chance calculation. All file operations are confined to the skill's `data/` and `memory/` directories. The `SKILL.md` instructions guide the agent to parse a `category:prompt` string and write a thoughtful exploration, which aligns with its stated purpose and does not contain any instructions for malicious actions like data exfiltration, unauthorized command execution, or prompt injection with harmful objectives. The use of `jq` with `--arg` and `--argjson` for state updates, and `jq -r` for reading, appears robust against injection. The `python3 -c` command is also not vulnerable to shell injection from the `$DREAM_CHANCE` variable.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the state file is edited incorrectly or poisoned by another local process or skill, the next heartbeat run could execute unintended Python commands with the agent user's permissions.
A value loaded from data/dream-state.json is inserted directly into Python source code instead of being validated as a number or passed as data.
DREAM_CHANCE=$(echo "$STATE" | jq -r '.dreamChance // 1.0') ROLL=$(python3 -c "import random; print(1 if random.random() < $DREAM_CHANCE else 0)")
Validate dreamChance as a numeric value before use, or pass it to Python through an environment variable or argv and parse it as float rather than interpolating it into code.
After setup, the agent may periodically create journal-like files during quiet hours.
The skill is designed to run from a recurring heartbeat routine and create output without a direct user request each time.
Add this section to your heartbeat routine (during quiet hours)... If DREAM_TOPIC is set: ... Write a thoughtful exploration to memory/dreams/YYYY-MM-DD.md
Only add the heartbeat hook if you want autonomous quiet-hours writing, and keep the maxDreamsPerNight and dreamChance settings low enough for your comfort.
Speculative or creative agent-written content could be mistaken for reliable memory if it is later fed back into the agent.
The skill intentionally creates persistent generated content that may later be reviewed or reused as context.
memory/dreams/YYYY-MM-DD.md — Dream output files (written by the agent, not the script)
Keep dream files separate from authoritative project notes and review them before using them as context for future work.