Skillv1.0.1

ClawScan security

Fast Unified Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:16 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code generally matches its stated purpose (local Ollama embeddings + file memory) but contains clear incoherences—notably a hard-coded absolute OpenClaw path and user id—that are unexpected and could cause privacy or access surprises.
Guidance: What to consider before installing or running this skill: - The core functionality is coherent: it uses a local Ollama instance for embeddings and combines vector search with keyword search over a file-based memory store. - Red flag: the code hard-codes /home/broedkrummen/.openclaw/workspace/memory and default user_id 'broedkrummen'. This is inconsistent with the documented '~/.openclaw/...' and may cause the script to: (a) silently fail on systems with a different username; or (b) read another user's OpenClaw memory if that exact path exists. Either outcome is unexpected and could leak or access private local files unintentionally. Recommended actions before use: - Inspect and (preferably) modify fast-unified-memory.js to make the OpenClaw path configurable. For example, compute MEMORY_DIR from process.env.HOME (or accept a CLI flag or env var) rather than hard-coding a username. - Replace hard-coded userId defaults with a dynamic value (e.g., process.env.USER or a provided --user flag) so mem0 operations are scoped to the current user. - Run the tool in a controlled environment (or with a test user) the first time to confirm which directories it reads and what it writes to ~/.mem0/fast-store.json. - Confirm Ollama is only listening on localhost and that network exposure/ports are acceptable for your threat model. - If you cannot or do not want to edit the code, avoid running it with elevated privileges and search the repository for hard-coded paths/identifiers before running. Confidence note: High confidence in the assessment that the hard-coded path/username is an incoherence and a practical concern. There is no evidence of network exfiltration or external endpoints beyond the documented local Ollama API.

Review Dimensions

Purpose & Capability: concernThe skill claims to combine local file-based OpenClaw memory with local Ollama embeddings, which is consistent with the code's behavior. However, the code hard-codes MEMORY_DIR = '/home/broedkrummen/.openclaw/workspace/memory' and default user_id = 'broedkrummen', while SKILL.md documents a tilde (~) path and generic behavior. The hard-coded username/path is not justified by the description and is an incoherence.
Instruction Scope: concernSKILL.md instructs only to install and run Ollama, pull the model, and run the CLI. The runtime JS mostly stays inside that scope (calls localhost Ollama embeddings, reads/writes a local JSON store, scans a file directory). However, the code will attempt to read files under a specific absolute path (/home/broedkrummen/...) which is not mentioned in the documentation and could cause the skill to read another user's OpenClaw memory if that path exists. The instructions do not disclose that behavior.
Install Mechanism: okNo install spec or third-party downloads included by the skill itself. The SKILL.md tells the user to install Ollama from its official install script and pull a model; the skill's code has no external download/exec beyond calling Ollama's local HTTP API. No archive downloads or external code fetches in the skill.
Credentials: noteThe skill requests no environment variables. It reads process.env.HOME for the mem0 store (expected). But it also embeds a specific username in both the OpenClaw path and mem0 user_id defaults, which is disproportionate/unexpected: these should normally be derived from HOME or a config, not hard-coded. This could cause the tool to ignore the current user or to access another user's files if present.
Persistence & Privilege: okThe skill does not set always:true and does not request system-wide privileges. It writes/reads only its own store (~/.mem0/fast-store.json) and attempts to read the OpenClaw path. Autonomous invocation (disable-model-invocation: false) is the platform default; combined with the hard-coded path this increases the blast radius slightly but by itself is not unusual.