Skillv1.0.0

ClawScan security

Fractal Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 18, 2026, 6:33 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (automated rollups of local diary files) but has several inconsistencies and privacy-relevant behaviors you should understand before installing.
Guidance: This skill is coherent with its stated goal (automated rollups) but has several things to check before you install: 1) Privacy: rollup-daily.py sends your full daily diary text to an external LLM via the 'openclaw ask' CLI — if that LLM is remote, your private notes will leave your machine. Confirm you are comfortable with that and that your agent/CLI credentials are intended to be used for this. 2) Path inconsistencies: two scripts hardcode /Users/brianq/.openclaw/workspace while others use Path.home(); update those paths to your own workspace before running to avoid writes to unexpected locations. 3) Undeclared dependencies: the SKILL.md and registry do not declare that 'openclaw' and Python3 are required; ensure those binaries exist and that 'openclaw ask' behavior is acceptable. 4) Missing artifact: cron examples reference update_now.py which is not included — verify cron payloads before adding jobs. 5) Test first in an isolated or backed-up workspace: run the scripts manually, inspect what files they create/modify (memory/, integrity.json, rollup-state.json, MEMORY.md), and run verify_memory_integrity.py to see detected changes. If you need stronger privacy, set USE_LLM = False in rollup-daily.py (falls back to heuristic extraction) or remove the openclaw ask call entirely.

Review Dimensions

Purpose & Capability: concernThe scripts and SKILL.md match the stated purpose (daily→weekly→monthly→MEMORY.md rollups). However there are inconsistencies: some scripts hardcode WORKSPACE = /Users/brianq/.openclaw/workspace while others use Path.home()/.openclaw/workspace, and rollup-daily.py invokes an external 'openclaw' CLI (openclaw ask) even though the skill metadata lists no required binaries or credentials. The hardcoded path and undeclared external CLI are disproportionate to a purely local file rollup and may cause unexpected file writes or failures.
Instruction Scope: concernInstructions tell the agent/user to copy scripts into ~/.openclaw/workspace, set up cron jobs, and update AGENTS.md so sessions will read/write many local files (SOUL.md, USER.md, daily/monthly files). rollup-daily.py will send full diary text to an LLM via the 'openclaw ask' CLI — this transmits private diary content to an external model. The cron examples reference running an update_now.py which is not present in the bundle. Overall the instructions stay within the memory-management goal but include explicit external data transmission and reference missing artifacts.
Install Mechanism: okThere is no remote download or complex installer: user is instructed to copy provided Python scripts into their workspace and make them executable. That is low-risk from supply-chain perspective. All code is included in the skill bundle (no external archives).
Credentials: noteThe skill declares no env vars/credentials, which is consistent with a local file-based tool, but rollup-daily.py requires the 'openclaw' CLI (to call an LLM) and will therefore rely on the agent/platform's credentials implicitly — this is not documented in requires.env. The hardcoded path (/Users/brianq/...) in two scripts is unexpected and could be inappropriate on other systems. Requesting filesystem access to ~/.openclaw/workspace and the ability to create cron jobs is proportionate to the purpose, but the implicit transmission of diary contents to an external model needs explicit disclosure and user consent.
Persistence & Privilege: okThe skill does not request always:true or modify other skills. It asks you to add cron jobs and copy scripts into your workspace (user-controlled actions). It does write state files (rollup-state.json, integrity.json) under the user's workspace, which is expected and scoped to its memory domain.