Claw Brain
ReviewAudited by ClawScan on May 10, 2026.
Overview
This memory skill is not clearly malicious, but it asks users to install external, unreviewed code and persistent hooks while making security/declaration claims that do not match the provided registry artifacts.
Review before installing. Only proceed if you trust and verify the external ClawBrain package/source, inspect the hook code, understand that it will persist memories across sessions, and are prepared to protect the local database and encryption key.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it would require trusting code that was not included in this skill review, including code that can manage memories, secrets, and hooks.
The documented setup depends on an external Python package and setup command, while the provided registry says there is no install spec and no code files present. That leaves the actual executable behavior and hook installer outside the reviewed artifacts.
pip install clawbrain[all] # Run interactive setup clawbrain setup
Only install after independently verifying the PyPI package/GitHub source, reviewing the hook code, and preferably pinning the exact version or requiring a proper registry install spec.
Users may believe the sensitive install and configuration behavior has been declared and reviewed when the provided registry artifacts do not show that.
The supplied artifacts list no env var declarations, no install spec, and no skill.json in the file manifest. These unsupported security-scanner-facing claims could cause users or reviewers to over-trust the package metadata.
**Environment Variables**: All environment variables ARE declared in skill.json ... **Install Specification**: skill.json declares installation method
Align the registry metadata and included files with the documentation, or remove the unsupported claims until the declarations and install spec are actually provided.
Private conversation details or incorrect learned facts could persist and affect later agent behavior.
The skill stores conversation history, facts, preferences, and learning data persistently, with much of it not encrypted. That is expected for a memory skill, but it is sensitive and can influence future context.
| `memories` | Conversation history, facts | **Only if `memory_type='secret'`** | ... | `user_profiles` | User preferences, interests | No |
Review what is stored, where the database lives, how to delete or reset memories, and avoid storing sensitive information unless you intentionally mark/protect it.
The agent may keep refreshing and saving memory across restarts and sessions unless the hooks are removed or disabled.
The skill uses persistent event hooks that automatically run on startup and new-command events. This persistence is disclosed and purpose-aligned, but it changes ongoing agent behavior.
On `gateway:startup` event: ... Loads memories and personality ... On `command:new` event: ... Saves current session summary to memory
Review the installed hook code before enabling it, confirm the events are desired, and use the documented hook removal steps if you do not want automatic memory behavior.
Anyone who obtains the encryption key and database can decrypt protected secrets.
The tool can display and back up the full encryption key and also supports sensitive database credentials. This is disclosed and relevant to encrypted memory/secrets support, but mishandling the key would expose stored secrets.
clawbrain show-key --full # Shows full key (⚠️ SENSITIVE!)
Treat the key like a password, avoid exposing it in logs/screenshots, secure backups, and restrict file permissions on the key and database.