ClawHub

Memory Scan

Scans OpenClaw agent memory files and workspace configs for malicious content, credential leaks, prompt injections, and security threats.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.6k · 3 current installs · 3 all-time installs
by@dgriffin831
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, README, and scripts consistently describe a memory scanner that reads agent memory under ~/.openclaw/workspace and optionally calls remote LLMs for deeper analysis. Those capabilities align with the skill name. However, the registry metadata declares no required environment variables or credentials while the documentation and scripts expect API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, PROMPTINTEL_API_KEY) and an alert channel (OPENCLAW_ALERT_CHANNEL). This mismatch between declared requirements and actual runtime needs is unexpected.
!
Instruction Scope
Runtime instructions and scripts read and modify workspace memory files (MEMORY.md, memory/*.md and other config files) and can redact/quarantine content. The scanner will call the OpenClaw CLI (openclaw gateway config.get and openclaw cron add) and may create scheduled jobs. Remote LLM scanning (opt-in via --allow-remote) will send redacted file contents to external APIs. These actions are coherent for a memory scanner, but the instructions give agents broad access to workspace files and rely on external CLI/tools and API keys — confirm you want those accesses and that the redaction is sufficient for your threat model.
Install Mechanism
No external download/install spec is in the registry (instruction-only), and included helper script sets up a Python venv and pip-installs well-known libraries (openai, anthropic). Nothing is fetched from untrusted URLs or arbitrary servers. This is low-to-moderate install risk; running setup-venv.sh will install networked Python packages.
!
Credentials
Although the registry lists no required env vars, the code and docs expect: OPENAI_API_KEY or ANTHROPIC_API_KEY for remote LLM analysis, and OPENCLAW_ALERT_CHANNEL (and optionally OPENCLAW_ALERT_TO) for scheduling/alerts. The script also attempts to read gateway config via the openclaw CLI as a fallback to find keys. Requesting LLM API keys and an alert channel is reasonable for the stated functionality, but the metadata omission means the installer may be unaware of credential needs. Require-review: PROMPTINTEL_API_KEY mention for community reporting (molthreats) — optional but should be declared.
Persistence & Privilege
The skill does not set always:true. It can schedule recurring scans via the openclaw cron add command (schedule-scan.sh), which modifies the agent's scheduled jobs; this is expected for a monitoring tool but is a persistent change to agent behavior. Quarantine operations modify workspace files (backups under ~/.openclaw/workspace/.memory-scan/quarantine and redaction), but are opt-in per the docs. Autonomous invocation is allowed by default (disable-model-invocation is false) — normal for skills but worth noting because the skill can be invoked by automation or scheduled hooks.
Scan Findings in Context
[prompt-injection-pattern-in-SKILL.md] expected: SKILL.md and docs intentionally include prompt-injection examples (e.g., 'Ignore all previous instructions') because the scanner detects such patterns; the pre-scan detector flagged this text. This is expected and appropriate for a detection tool.
[external-llm-api-calls] expected: Scripts make HTTPS calls to OpenAI and Anthropic APIs for remote scanning (scan_openai, scan_anthropic). This matches the documented --allow-remote option.
[openclaw-cli-invocation] expected: memory-scan.py calls 'openclaw gateway config.get' and schedule-scan.sh calls 'openclaw cron add'. These shell calls are coherent with auto-detecting gateway config and scheduling scans, but require the openclaw CLI to be present and trusted.
[workspace-file-access] expected: The code reads/writes files under ~/.openclaw/workspace (memory files, backups, quarantine). That is expected for a memory scanner but is a privileged operation relative to ordinary skill bundles.
[metadata-missing-env-vars] unexpected: The registry metadata lists no required env vars or credentials, yet the code/docs require API keys and an alert channel. This metadata omission is an incoherence that could mislead users about what secrets the skill will use.
What to consider before installing
This package is plausibly a legitimate memory-scanner, but there are important mismatches and operational behaviors to verify before installing: - Metadata vs reality: The registry declares no env vars, but the scripts/docs require OPENAI_API_KEY or ANTHROPIC_API_KEY for remote scanning and OPENCLAW_ALERT_CHANNEL for scheduling. Ask the author to update metadata or be prepared to provide these values. - Remote scanning is opt-in (--allow-remote) and the code claims to redact sensitive tokens before sending, but any remote analysis sends content to external LLMs. If you care about leaked secrets or privacy, avoid --allow-remote or review redaction regexes carefully. - The skill calls the openclaw CLI to read gateway config and to create scheduled jobs. Confirm you trust the openclaw CLI and the exact cron job payload before running schedule-scan.sh. - Quarantine modifies workspace files (backups in .memory-scan/quarantine and redacts lines). That behavior is documented and opt-in, but you should review backup locations and permissions. - Review the included code yourself or run the scanner in an isolated/test workspace first (e.g., copy ~/.openclaw/workspace to a safe test directory), especially if you plan to enable scheduling or remote LLM analysis. If you decide to proceed: run only the local pattern scan first (no --allow-remote), verify the tool's output on test files, confirm the cron job payload, and only install/setup the venv and schedule if you understand and accept the credential and scheduling implications.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97ek86bh20ebwcw3g9z35z7ks80cj6b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

memory-scan

Security scanner for OpenClaw agent memory files

Scans MEMORY.md, daily logs (memory/*.md), and workspace configuration files for malicious content, prompt injection, credential leakage, and dangerous instructions that could compromise user security.

Purpose

Detect security threats embedded in agent memory:

  • Malicious instructions to bypass guardrails
  • Prompt injection patterns in stored memories
  • Credential/secret leakage
  • Data exfiltration commands
  • Behavioral manipulation
  • Security policy violations

Usage

On-Demand Scan

Scan all memory files:

python3 skills/memory-scan/scripts/memory-scan.py

Allow remote LLM analysis (redacted content only):

python3 skills/memory-scan/scripts/memory-scan.py --allow-remote

Scan specific file:

python3 skills/memory-scan/scripts/memory-scan.py --file memory/2026-02-01.md

Quiet mode (for automation):

python3 skills/memory-scan/scripts/memory-scan.py --quiet

JSON output:

python3 skills/memory-scan/scripts/memory-scan.py --json

Scheduled Monitoring

Cron Job (Daily Security Audit)

Already included in safe-install daily audit - runs 2pm PT daily.

To add standalone cron:

bash skills/memory-scan/scripts/schedule-scan.sh

Requires:

  • OPENCLAW_ALERT_CHANNEL (configured in OpenClaw)
  • OPENCLAW_ALERT_TO (optional, for channels that require a recipient)

Creates cron job: daily at 3pm PT, sends alert only if threats found.

Heartbeat Integration

Add to HEARTBEAT.md:

## Weekly Memory Scan

Every Sunday, run memory scan:
python3 skills/memory-scan/scripts/memory-scan.py --quiet

Security Levels

  • SAFE - No threats detected
  • LOW - Minor concerns, proceed with awareness
  • MEDIUM - Potential threat, review recommended
  • HIGH - Likely threat, immediate review required
  • CRITICAL - Active threat detected, quarantine recommended

What It Scans

  1. MEMORY.md - Long-term memory
  2. memory/*.md - Daily logs (last 30 days by default)
  3. Workspace config files:
    • AGENTS.md, SOUL.md, USER.md, TOOLS.md
    • HEARTBEAT.md, GUARDRAILS.md, IDENTITY.md
    • BOOTSTRAP.md (if exists)
    • STOCKS_MEMORIES.md (if exists)

Detection Categories

  1. Malicious Instructions - Commands to harm user/data
  2. Prompt Injection - Embedded manipulation patterns
  3. Credential Leakage - API keys, passwords, tokens
  4. Data Exfiltration - Instructions to leak data
  5. Guardrail Bypass - Attempts to override security
  6. Behavioral Manipulation - Unauthorized personality changes
  7. Privilege Escalation - Attempts to gain unauthorized access

Alert Workflow

On MEDIUM/HIGH/CRITICAL detection:

  1. Stop processing
  2. Send alert via configured OpenClaw channel with:
    • Severity level
    • File location (file:line)
    • Threat description
    • Recommended action
  3. Optional: Quarantine threat (backup + redact)

LLM Provider

Auto-detects provider from OpenClaw config:

  • Prefers OpenAI (gpt-4o-mini) if OPENAI_API_KEY set
  • Falls back to Anthropic (claude-sonnet-4-5) if available
  • Uses gateway model config

Remote LLM scanning is disabled by default. Use --allow-remote to enable redacted LLM analysis.

Quarantine

To quarantine a detected threat:

python3 skills/memory-scan/scripts/quarantine.py memory/2026-02-01.md 42

Creates:

  • Backup: .memory-scan/quarantine/memory_2026-02-01_line42.backup
  • Redacts line 42 with: [QUARANTINED BY MEMORY-SCAN: <timestamp>]

Files

  • scripts/memory-scan.py - Main scanner (local patterns + optional LLM with --allow-remote)
  • scripts/schedule-scan.sh - Create cron job for daily scans
  • scripts/quarantine.py - Quarantine detected threats
  • docs/detection-prompt.md - LLM detection prompt template

Integration with Other Skills

  • safe-install: Daily audit already includes memory-scan
  • input-guard: Complementary (input-guard = external, memory-scan = internal)
  • molthreats: Can report memory-based threats to community feed

Example

$ python3 skills/memory-scan/scripts/memory-scan.py

🧠 Memory Security Scan
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Scanning memory files...

✓ MEMORY.md - SAFE
✓ memory/2026-02-01.md - SAFE
⚠ memory/2026-01-30.md - MEDIUM (line 42)
  → Potential credential leakage: API key pattern detected

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Overall: MEDIUM
Action: Review memory/2026-01-30.md:42

Agent Workflow

When user requests memory scan:

  1. Run: python3 skills/memory-scan/scripts/memory-scan.py
  2. If MEDIUM+: Send alert immediately via configured channel
  3. Summarize findings
  4. Ask if user wants to quarantine threats

Notes

  • Scans last 30 days of daily logs by default (configurable with --days)
  • Uses same LLM approach as input-guard for consistency
  • Does NOT auto-quarantine - always asks first
  • Safe to run frequently (minimal API cost with efficient chunking)

Files

12 total
Select a file
Select a file to preview.

Comments

Loading comments…