Hippocampus Openclaw Onboarding
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only onboarding skill is coherent and purpose-aligned, but users should notice it involves an external npx setup helper, a bootstrap/API credential, and persistent memory configuration.
Before installing or using this skill, verify the hipokamp-mcp package and gateway are legitimate, use a scoped bootstrap token rather than a long-lived API key, and keep separate Hippocampus workspaces for unrelated OpenClaw instances.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the command may download and execute a third-party setup helper that receives the bootstrap token and configures the local environment.
The setup depends on an external npx package that is not pinned to a version and is not included in the provided artifacts. This is purpose-aligned for onboarding but creates a package provenance consideration.
`npx hipokamp-mcp setup --bootstrap-token <token> --gateway <gateway-origin>`
Verify the package name, publisher, and version before running it, and consider pinning a trusted version of the setup helper.
A copied bootstrap token or long-lived API key could authorize access to the configured Hippocampus workspace if mishandled.
The skill explicitly sets up authentication for the Hippocampus gateway. This is expected for a memory-service integration, but it grants the configured OpenClaw instance access to that service.
configure gateway URL and authentication
Use the recommended bootstrap token flow, keep credentials workspace-scoped, avoid reusing credentials, and rotate any token that may have been exposed.
Information stored in the memory system may be reused by future agents or sub-agents within the workspace namespace.
The skill configures persistent memory identity for a root agent and sub-agents. This is the stated goal, but persistent shared memory can affect future agent behavior if stored content is sensitive or untrusted.
ensure sub-agents inherit scoped memory identity
Keep separate workspaces for unrelated projects, avoid storing secrets unless the memory service is intended for them, and review retention and access controls for the Hippocampus workspace.