Memory OS
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Memory OS is a coherent local-only persistent memory setup, but it intentionally stores and reuses personal/work context across future agent sessions.
Install only in a private workspace where you are comfortable retaining long-term agent memory. Review the generated AGENTS.md, USER.md, MEMORY.md, HEARTBEAT.md, and daily notes regularly, avoid storing secrets, and disable or narrow heartbeat/startup behavior if you do not want automatic memory loading.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The memory files may store names, projects, goals, decisions, mistakes, and other private context that future agents can read and rely on.
The skill is designed to accumulate and reuse personal/work context over time, which is expected for a memory system but sensitive if used in the wrong context.
“MEMORY.md may become quite personal over time. Only load it in trusted, private sessions — not in shared contexts, group chats, or sessions with people other than your primary operator.”
Keep the memory files in a private workspace, avoid adding secrets, periodically review or prune them, and do not load them in shared or untrusted sessions.
Future sessions may automatically read memory files and continue prior context without asking each time.
The skill intentionally installs persistent startup behavior that changes how future agent sessions initialize.
“With AGENTS.md, the agent proactively loads its memory files, orients itself, and picks up where it left off — before the conversation even starts.”
Inspect the generated AGENTS.md and related memory files before relying on them, and edit or remove any startup behavior you do not want.
If heartbeat features are enabled, the agent may perform periodic checks and contact the user based on the stored checklist.
Heartbeat behavior is disclosed and purpose-aligned, but it introduces proactive scheduled agent activity rather than purely user-invoked behavior.
“OpenClaw supports scheduled heartbeat checks. When triggered, the agent reads HEARTBEAT.md, works through the list, and reaches out only if something needs attention.”
Enable heartbeat behavior only if you want proactive checks, and keep HEARTBEAT.md narrowly scoped to safe, non-sensitive checks.
A user might put more personal information into the memory files than they would otherwise choose to retain long-term.
The guide also includes privacy warnings, but this wording could understate the privacy implications of asking users to store detailed personal and work context.
“This isn't about privacy — it's about efficiency.”
Treat all Memory OS files as potentially sensitive, even if they are local-only, and avoid storing secrets or information you would not want reused in future sessions.