SecondMind
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
SecondMind is mostly aligned with its memory purpose, but it persistently ingests OpenClaw conversations, installs background jobs, exposes sensitive Telegram control if misconfigured, and has a reported hardcoded API secret.
Before installing, make sure you are comfortable with persistent memory over your OpenClaw conversations, cloud LLM processing via OpenRouter, scheduled background jobs, and optional Telegram access. Set a narrow sessionsDir, configure Telegram chatId if used, audit cron or Task Scheduler after setup, and verify that lib/llm.js contains no hardcoded API key.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private OpenClaw conversations can be retained and reused across tasks, including emotional and project context, rather than staying limited to the original session.
The ingestion job reads every JSONL transcript in the configured sessions directory and stores conversation content in SecondMind's persistent database.
const files = fs.readdirSync(sessionsDir).filter(f => f.endsWith('.jsonl')).map(f => path.join(sessionsDir, f)); ... INSERT OR IGNORE INTO shortterm_buffer ... raw_contentInstall only if you want broad persistent memory. Configure a narrow sessions path, add retention/deletion controls, and review or delete data/secondmind.db when needed.
A reset may not stop the current conversation from being captured into persistent memory.
The skill tells the agent to intercept reset commands and archive the session before honoring the reset.
When the user sends /new or /reset: 1. BEFORE the reset takes effect, run: node {baseDir}/scripts/flush.js ... 3. THEN allow the reset to proceed normallyRequire explicit user confirmation before pre-reset capture, and document a way to reset without saving.
The skill can continue processing conversations, making cloud LLM calls, and sending notifications without a direct user request each time.
The setup script installs recurring background jobs that autonomously ingest, process, archive, and generate proposals after setup.
const crons=[`*/30 * * * * cd ${base} && ${nodePath} scripts/ingest.js ...`, `15 */6 * * * cd ${base} && ${nodePath} scripts/consolidate.js ...`, `0 3 * * * cd ${base} && ${nodePath} scripts/archive.js ...`, `45 */6 * * * cd ${base} && ${nodePath} scripts/initiative.js ...`]; ... execSync('crontab /tmp/secondmind-crontab')Only run setup if you want persistent background automation; inspect crontab or Task Scheduler afterward and provide/verify a clear uninstall path.
If standalone Telegram mode is enabled without a chat ID, other Telegram chats that reach the bot could issue commands such as status, search, mood, accept, reject, or drop.
The standalone Telegram bot only restricts commands when chatId is configured; if chatId is missing, it does not fail closed.
const allowedChat = config.notifications?.telegram?.chatId; ... if (allowedChat && chatId !== String(allowedChat)) { ... continue; }Require chatId before starting the bot, fail closed when it is absent, and keep standalone mode disabled until Telegram access is locked to the intended chat.
A hardcoded key could expose someone else's credential, route data through an unintended account, or create billing and access-control confusion.
The scanner reports a hardcoded API key in the LLM client, which conflicts with the documented model of using the user's OpenRouter API key from config.json.
Static scan: File appears to expose a hardcoded API secret or token. Evidence: const apiKey = [REDACTED];
Remove any embedded secret, rotate the exposed key, and load OpenRouter credentials only from user-controlled config or environment variables.
Installation may pull newer dependency versions than the author originally tested.
Dependencies are fetched with semver ranges during npm install, and no lockfile is shown in the manifest.
"dependencies": { "better-sqlite3": "^11.7.0", "glob": "^11.0.0" }Review the dependency tree, prefer a lockfile or pinned versions, and install from a trusted source.
Running setup executes npm installation and any normal package installation behavior on the user's machine.
The setup script executes a shell command to install Node dependencies. This is purpose-aligned installer behavior, but it is still local code execution.
try { execSync('npm install --production',{cwd:BASE,stdio:'inherit'}); }Run setup only from a trusted copy of the skill and review package.json before installation.