Memory Hygiene
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for memory cleanup, but it includes destructive full-memory wipes and a recurring monthly wipe job without clear backup or confirmation guardrails.
Review this skill before installing. Use it only if you are comfortable with full Clawdbot vector-memory deletion, back up memory before wiping, and do not enable the monthly cron unless you want recurring automatic maintenance.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed automatically or too casually, the user could lose all Clawdbot vector memories.
This is a destructive shell command that removes the entire LanceDB vector-memory directory. It is related to the skill purpose, but the artifact does not describe confirmation, backup, dry-run, or recovery steps before deletion.
**Wipe:** Clear all vector memory ```bash rm -rf ~/.clawdbot/memory/lancedb/ ``` Then restart gateway: `clawdbot gateway restart`
Require explicit user confirmation before wiping, back up the memory directory first, and prefer an audit or selective-delete workflow when possible.
A scheduled agent job could keep deleting and rebuilding memory each month, potentially removing useful memories without the user noticing.
The skill instructs creation of a persistent scheduled job that repeatedly performs a destructive wipe and reseed of memory. The automation is disclosed and purpose-aligned, but it lacks per-run approval, removal instructions, or rollback guidance.
## Monthly Maintenance Cron
Set up a monthly wipe + reseed:
```
cron action=add job={
"name": "memory-maintenance",
"schedule": "0 4 1 * *",
"text": "Monthly memory maintenance: 1) Wipe ~/.clawdbot/memory/lancedb/ 2) Parse MEMORY.md 3) Store key facts to fresh LanceDB 4) Report completion"
}
```Only add the cron job after an explicit user request, include instructions to disable it, and add backup/confirmation steps before each wipe.
Sensitive facts stored in memory may be recalled into future agent context, reused incorrectly, or exposed to later tasks.
The skill works directly with persistent vector memory and suggests storing account, credential-location, and contact facts. It also warns not to store OAuth URLs or tokens, which reduces but does not eliminate sensitivity.
memory_recall query="*" limit=50 ... ✅ Store: - Important facts (accounts, credentials locations, contacts) ... ❌ Never store: - OAuth URLs or tokens
Store only minimal non-secret facts, avoid actual credentials or highly sensitive locations unless necessary, and review memory contents periodically.