๐ dreaming-optimizer
AdvisoryAudited by VirusTotal on Apr 17, 2026.
Overview
Type: OpenClaw Skill Name: dreaming-optimizer Version: 1.0.0 The dreaming-optimizer bundle is a well-structured memory management tool designed to score, deduplicate, and archive agent memories within the OpenClaw ecosystem. The code follows security best practices, such as using yaml.safe_load in config_loader.py to prevent arbitrary code execution and parameterized SQL queries in blayer_client.py to mitigate SQL injection risks. The logic is transparent, extensively documented in DESIGN.md, and lacks any indicators of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or low-quality memory entries could be consolidated into long-term memory and influence future agent behavior.
The skill intentionally reads local memory notes and writes selected content into persistent agent memory, which can later affect what the agent remembers or relies on.
Reads from: `~/.openclaw/workspace/memory/YYYY-MM-DD.md` ... Writes to: `~/.openclaw/memory/<agent>.sqlite`
Run it intentionally, review the generated summaries and memory database, and avoid storing sensitive or untrusted instructions in daily memory notes.
Once invoked, the pipeline can modify persistent memory without an interactive review step in the top-level script.
The main shell entry point chains local scripts and commits results by default after scoring and deduplication.
python3 "$BIN_DIR/score_entries.py" --threshold "$THRESHOLD" ... python3 "$BIN_DIR/deduplicate.py" --threshold 0.85 ... python3 "$BIN_DIR/commit.py"
Use conservative thresholds, back up important memory data, and prefer dry-run or component-level testing before routine use.
Users may need to inspect the included scripts and ensure dependencies are available because the registry metadata is sparse.
The registry metadata provides limited provenance and does not declare runtime requirements, even though SKILL.md documents local script dependencies.
Source: unknown; Homepage: none; Required binaries: none; Env var declarations: none
Review the packaged code before installing and pin or manage any local Python dependencies in a trusted environment.