Skillv1.0.2

ClawScan security

org-memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 9:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (persist agent memory to a separate org workspace), but there are a few inconsistencies and an optional migration flow that touches OpenClaw config and files outside the declared workspace which merit caution.
Guidance: This plugin appears to implement the advertised functionality (storing agent memory in a separate org workspace) and uses only the 'org' CLI and local files. Before installing: 1) Confirm you have the 'org-cli' skill and that ORG_CLI_BIN points to a trusted 'org' binary. 2) Ensure the ORG_MEMORY_* env vars point to directories you want the agent to read/write. 3) Be cautious about the optional migration: it reads ~/.openclaw/workspace/MEMORY.md and can write ~/.openclaw/openclaw.json to disable the default memory plugin — only allow that after backing up openclaw.json and explicitly consenting. 4) Note the small inconsistencies (SKILL.md mentions an install download and extra scope vars that are not declared); if you need high assurance, review the plugin files locally (index.ts, lib.ts) or ask the maintainer to clarify the migration UI and confirm no automatic config changes will be made. If you are uncomfortable with a plugin that can be instructed to modify OpenClaw config, do not enable migration or do not install.

Review Dimensions

Purpose & Capability: noteName/description match the implemented behavior: the plugin runs the 'org' CLI against an agent-specific directory and roam DB and exposes tools to read/add/append agent memory. Required binaries/env vars (org, ORG_MEMORY_DIR, ORG_MEMORY_ROAM_DIR, ORG_MEMORY_DB, ORG_CLI_BIN) are appropriate for the stated purpose. Minor inconsistency: SKILL.md metadata and reference docs mention ORG_CLI_DIR/ORG_CLI_DB in the declared read/write scope, but those env vars are not listed in requires.env; code itself uses only ORG_MEMORY_* and ORG_CLI_BIN.
Instruction Scope: concernRuntime instructions and code read agent memory files (memory.org, daily/*.org) and inject them into session context — this is expected. However the included 'Memory migration' doc outlines a migration that would read ~/.openclaw/workspace/MEMORY.md and write to $ORG_MEMORY_DIR and also update ~/.openclaw/openclaw.json to disable the default memory plugin. Although the doc says 'Never start migration automatically' and requires explicit user confirmation, these steps would modify OpenClaw global config and read/write files outside the declared ORG_MEMORY_* workspace, which is outside the core scope and is sensitive.
Install Mechanism: noteRegistry shows no install spec, which is low-risk. SKILL.md metadata contains an 'install' suggestion to download from the project's GitHub releases — GitHub releases is a reasonable source. There is a small inconsistency between registry install metadata (none) and the SKILL.md install entry; nothing here points to unusual or untrusted download hosts.
Credentials: noteThe required env vars are proportional to the skill's function (workspace directory, roam dir, DB, and org binary). No cloud credentials or unrelated secrets are requested. Caveat: the migration instructions involve reading/writing ~/.openclaw files (MEMORY.md, openclaw.json) which are not declared env vars — this expands the I/O surface beyond the declared workspace and should be explicitly consented to by the user.
Persistence & Privilege: concernThe skill is not 'always' and does not auto-enable itself; tool registration is optional. However, the documented migration flow instructs updating ~/.openclaw/openclaw.json to disable the default memory plugin — a modification of the agent's global configuration. Even if only executed with user confirmation, this capability to modify OpenClaw configuration and other users' workspace files is a sensitive privilege and increases risk.