ClawGraph
Security checks across static analysis, malware telemetry, and agentic risk
Overview
ClawGraph is a coherent memory skill, but it persistently stores user facts and uses an OpenAI-compatible API, so it should be treated as privacy-sensitive.
Install only if you want automatic long-term memory. Before using it, confirm you are comfortable with durable facts being stored under ~/.clawgraph/data and processed by your configured OpenAI-compatible provider; avoid sharing sensitive personal or confidential business information unless you intend it to be remembered.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Facts about you, your projects, or your team can persist and be reused in later conversations, including if a statement later becomes outdated or was something you did not intend to remember long term.
The skill intentionally creates persistent cross-conversation memory from user statements.
Proactively store durable user facts without waiting for an explicit memory command ... Data stored at `~/.clawgraph/data` — survives restarts
Use this only if you want automatic durable memory; periodically inspect the graph and avoid sharing sensitive or confidential details unless you are comfortable with them being stored.
The configured provider account may be used for model calls, which can affect billing, usage logs, and provider-side data handling.
The skill requires a provider credential and can be pointed at an OpenAI-compatible endpoint, which is expected for its extraction workflow.
`OPENAI_API_KEY` is required. `OPENAI_BASE_URL` is optional for other OpenAI-compatible endpoints.
Use a dedicated API key where possible, monitor usage, and set OPENAI_BASE_URL only to an endpoint you trust.
User facts may be sent to the configured OpenAI-compatible provider for extraction, not just stored locally.
Facts selected for storage are processed through an LLM provider interface.
Each fact is automatically decomposed into entities and relationships using ... one LLM call ... OpenAI-compatible APIs today via the OpenAI SDK.
Review the provider's data handling policy and avoid storing facts that should not leave your environment.
Installing the skill will install and run code from the external package, which was not directly visible in the supplied files.
The executable comes from an external pinned package; the provided artifact set did not include the package code for static review.
uv | package: clawgraph==0.1.3 | creates binaries: clawgraph
Install from a trusted package source, verify the package/version and homepage, and consider using an isolated environment.