ClawHub
Back to skill
v1.0.0

Memory OS

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:31 AM.

Analysis

Memory OS is a coherent local-only persistent memory setup, but it intentionally stores and reuses personal/work context across future agent sessions.

GuidanceInstall only in a private workspace where you are comfortable retaining long-term agent memory. Review the generated AGENTS.md, USER.md, MEMORY.md, HEARTBEAT.md, and daily notes regularly, avoid storing secrets, and disable or narrow heartbeat/startup behavior if you do not want automatic memory loading.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents
SeverityLowConfidenceHighStatusNote
references/guide.md
“With AGENTS.md, the agent proactively loads its memory files, orients itself, and picks up where it left off — before the conversation even starts.”

The skill intentionally installs persistent startup behavior that changes how future agent sessions initialize.

User impactFuture sessions may automatically read memory files and continue prior context without asking each time.
RecommendationInspect the generated AGENTS.md and related memory files before relying on them, and edit or remove any startup behavior you do not want.
Rogue Agents
SeverityLowConfidenceMediumStatusNote
references/guide.md
“OpenClaw supports scheduled heartbeat checks. When triggered, the agent reads HEARTBEAT.md, works through the list, and reaches out only if something needs attention.”

Heartbeat behavior is disclosed and purpose-aligned, but it introduces proactive scheduled agent activity rather than purely user-invoked behavior.

User impactIf heartbeat features are enabled, the agent may perform periodic checks and contact the user based on the stored checklist.
RecommendationEnable heartbeat behavior only if you want proactive checks, and keep HEARTBEAT.md narrowly scoped to safe, non-sensitive checks.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
references/guide.md
“This isn't about privacy — it's about efficiency.”

The guide also includes privacy warnings, but this wording could understate the privacy implications of asking users to store detailed personal and work context.

User impactA user might put more personal information into the memory files than they would otherwise choose to retain long-term.
RecommendationTreat all Memory OS files as potentially sensitive, even if they are local-only, and avoid storing secrets or information you would not want reused in future sessions.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
references/guide.md
“MEMORY.md may become quite personal over time. Only load it in trusted, private sessions — not in shared contexts, group chats, or sessions with people other than your primary operator.”

The skill is designed to accumulate and reuse personal/work context over time, which is expected for a memory system but sensitive if used in the wrong context.

User impactThe memory files may store names, projects, goals, decisions, mistakes, and other private context that future agents can read and rely on.
RecommendationKeep the memory files in a private workspace, avoid adding secrets, periodically review or prune them, and do not load them in shared or untrusted sessions.