v1.3.0

Obsidian Memory System

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:26 AM.

Analysis

The skill mainly sets up a local Obsidian-based memory vault, but its recommended production configuration grants the agent unsandboxed, no-confirmation tool execution and persistent auto-loaded memory, so it needs careful review before use.

GuidanceBefore installing, decide whether you only need the vault/memory structure or also want the high-risk production setup. Prefer sandboxed execution and confirmation prompts, restrict Discord access to trusted users/channels, keep secrets out of Obsidian memory files, and regularly audit persistent brain files and promoted learnings.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

references/openclaw-config.md

| `tools.profile: "full"` | Agent has access to all available tools |
| `exec.security: "full"` | Commands run without sandboxing |
| `exec.ask: "off"` | Agent doesn't ask before executing commands |

The recommended production configuration explicitly gives the agent all tools, removes sandboxing, and disables confirmation prompts, which is high-impact authority beyond simply creating or searching a memory vault.

User impactIf applied, the agent could run local commands or change files, services, repositories, or connected accounts without a separate approval prompt.

RecommendationUse a sandboxed or limited tool profile by default, keep confirmation prompts on for command execution, and only enable full/no-approval access in an isolated workspace where you accept the risk.

Unexpected Code Execution

SeverityInfoConfidenceHighStatusNote

scripts/setup-vault.sh

mkdir -p "$VAULT/00-brain"
...
ln -s "vault/00-brain/$file" "$file"

The setup script performs local filesystem changes, including creating the vault structure and symlinks. This is expected for the skill and appears user-directed, but it is still code the user runs locally.

User impactRunning the script will create or modify files and symlinks in the selected workspace.

RecommendationRun the script only with the intended workspace path and review any existing files before allowing symlinks or templates to be created.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

references/openclaw-config.md

"token": "YOUR_BOT_TOKEN"
...
OPENAI_API_KEY=sk-...          # Required for memory search embeddings + audio transcription

The Discord and provider credentials are expected for the documented integrations, and the artifacts use placeholders rather than hardcoded secrets, but these credentials grant real account/API access.

User impactA leaked or over-scoped bot token or API key could expose Discord access or incur provider usage costs.

RecommendationUse least-privilege tokens, store keys in the intended OpenClaw auth/config location, avoid committing them to the vault, and rotate them if exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

OpenClaw auto-loads workspace root files (SOUL, USER, AGENTS, TOOLS, MEMORY) every session.

The skill intentionally creates persistent files that are loaded into future sessions. This is central to the memory-system purpose, but it means stored personal, operational, or instruction-like content can influence later agent behavior.

User impactIncorrect, sensitive, or overly broad memory entries may persist across sessions and shape future responses or actions.

RecommendationKeep secrets out of auto-loaded files, periodically audit SOUL/USER/AGENTS/TOOLS/MEMORY, and review promoted learnings before making them persistent operating instructions.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

references/discord-setup.md

"historyLimit": 30,
...
"threadBindings": {
  "enabled": true,
  "spawnSubagentSessions": true,
  "spawnAcpSessions": true
}

The Discord setup routes channel history into agent context and can spawn subagent or ACP sessions from Discord threads. This is aligned with the Discord workspace goal, but it creates cross-channel and inter-agent data-boundary considerations.

User impactDiscord messages, files, or thread context may be reused by agents or subagents, so private channel content could influence work outside the original conversation.

RecommendationKeep Discord allowlists tight, separate sensitive projects into restricted channels, consider requiring mentions or approvals, and verify what history and thread context are shared with subagents.