org-memory
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s memory features are mostly aligned with its purpose, but it deserves review because its file-writing helper can escape the intended memory folder if given a crafted filename.
Install only if you want the agent to keep long-term org-based memory. Use a trusted org CLI binary, review the memory directory periodically, and prefer a version that validates file paths so writes cannot leave the configured agent-memory workspace.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A prompt or agent action could create or modify org files outside the dedicated agent-memory folder.
The registered add tools accept an optional filename and the argument builder joins it to the memory directory without validating that the final path remains inside that directory. A value such as '../outside.org' could direct the org CLI to write outside the intended workspace.
file?: string; ... const filePath = join(cfg.dir, params.file ?? cfg.inboxFile);
Validate and normalize filenames before passing them to org; reject absolute paths and any path that resolves outside ORG_MEMORY_DIR.
The skill can run the local org CLI on the user's machine.
The skill runs the external org binary. This is disclosed and central to the purpose, and execFile is safer than shell execution, but the configured ORG_CLI_BIN must be trusted.
execFile(bin, args, { timeout: timeoutMs }, (err, stdout, stderr) => {Install org from a trusted source and keep ORG_CLI_BIN pointed only at the intended binary.
Security depends partly on the separately installed org CLI binary.
The skill requires a separately downloaded org CLI binary. That dependency is expected for the integration, but the artifact does not pin a specific release in the install instruction.
"requires":{"bins":["org"] ... "install":[{"kind":"download","label":"Download from GitHub releases: https://github.com/dcprevere/org-cli/releases"}]Use a verified release of org-cli and avoid substituting an untrusted binary.
Facts or instructions written into the memory files may affect later conversations.
The plugin automatically loads persistent memory.org and daily note files into the agent's session context. This is the stated purpose, but stored content can influence future sessions.
api.on("before_agent_start", async () => { ... readOrgFile(join(cfg.dir, "memory.org"), MAX_FILE_BYTES) ... readOrgFile(join(cfg.dir, "daily", `${today}.org`), MAX_FILE_BYTES)Review the memory files periodically and avoid storing secrets or untrusted instructions there.
If migration is run, the user's default memory behavior may change across future sessions.
The optional migration can modify OpenClaw configuration and disable the default memory plugin, which affects future sessions. The artifact clearly says this must be user-initiated.
Writes: $ORG_MEMORY_DIR/memory.org, $ORG_MEMORY_DIR/daily/*.org, ~/.openclaw/openclaw.json ... Never start migration automatically. Only proceed if the user explicitly requests it.
Only run migration after backing up OpenClaw configuration and confirming the intended memory setup.