Memory Scan
ReviewAudited by ClawScan on May 10, 2026.
Overview
Memory Scan is mostly purpose-aligned, but its remote LLM mode may send incompletely redacted memory/config content to providers and its quarantine helper can overwrite arbitrary absolute file paths.
Review before installing. Local scanning is aligned with the skill’s purpose, but avoid `--allow-remote` on sensitive memories unless you accept provider transmission and have verified redaction. If quarantining, confirm the exact file path and inspect `.memory-scan/quarantine/` backups. Only enable the cron job if you want recurring scans.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you enable remote scanning, private memory/config data or non-matching secrets could be sent to OpenAI or Anthropic.
Remote mode sends scanned memory content to LLM providers, while the shown redaction patterns cover only a limited set of credential formats. Other secrets or private memory/config content may be transmitted despite the docs describing remote analysis as redacted.
REDACTION_PATTERNS = [... OPENAI_API_KEY|ANTHROPIC_API_KEY ..., ... sk- ..., ... AKIA ..., ... PRIVATE KEY ...] ... Request("https://api.openai.com/v1/chat/completions"Keep remote scanning off unless needed, expand redaction for more secret types, add file/path exclusions, and clearly warn users what may be sent to providers.
A mistaken or manipulated quarantine path could modify files outside OpenClaw memory, including important local files the user did not intend to edit.
Relative paths are placed under the OpenClaw workspace, but absolute paths are accepted as-is and later overwritten during line or file quarantine.
if not os.path.isabs(file_path): file_path = os.path.join(WORKSPACE, file_path) ... with open(file_path, 'w', encoding='utf-8') as f:
Reject absolute paths or enforce an allowlist under the workspace memory/config locations, and show an explicit path confirmation before writing.
Quarantining a leaked secret may leave an unredacted copy in `.memory-scan/quarantine/`.
When a line is quarantined, the original line is preserved in a backup file, which can retain the same credential or malicious memory content that was removed from the source.
f.write("Original content:\n")
f.write(original_line)Protect or delete quarantine backups after review, and rotate any credentials that were exposed.
If configured, the skill will keep running on a schedule and may send alerts after the initial setup.
The script creates an enabled daily cron job that triggers an agent turn for recurring scans.
"name": "memory-scan-daily", "schedule": { "kind": "cron", "expr": "0 15 * * *" } ... openclaw cron add --job "$JOB_JSON"Only add the cron job if you want ongoing monitoring, and use `openclaw cron list` / `openclaw cron update` to review or disable it.
The skill may use provider credentials and incur API usage when remote analysis is enabled.
Remote LLM mode uses OpenAI or Anthropic API keys from the environment or OpenClaw gateway config.
openai_key = os.getenv("OPENAI_API_KEY") ... subprocess.run(["openclaw", "gateway", "config.get"], ...)Use dedicated, limited-scope API keys where possible and confirm remote scanning is intentional.
Running this helper can introduce supply-chain risk from unpinned dependencies.
The optional helper installs latest unpinned packages from the package ecosystem, even though the main scanner is documented as standard-library-only.
pip install --quiet --upgrade pip pip install --quiet openai anthropic
Avoid the helper unless needed, or pin package versions and verify dependencies before installing.