v1.0.2

Awareness Cloud Memory

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

The skill is coherent for cloud memory, but it automatically sends prompt-derived data to a memory service, injects persistent stored content back into future sessions, and has credential/endpoint handling that deserves review before installation.

GuidanceReview this skill carefully before installing. Use a dedicated Awareness API key, verify that AWARENESS_BASE_URL and any openclaw.json files point only to trusted endpoints, avoid sensitive secrets in prompts or records, and periodically inspect/clear the cloud memory. The setup script should be treated cautiously until its browser-opening command avoids shell interpolation.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Get Agent Prompt (sub-agent spawning) ... Use the returned prompt as the sub-agent's system prompt for memory isolation.

The instructions tell the agent to fetch a prompt from the memory service and use it as a system prompt for another agent, giving remote/stored content high authority.

User impactA cloud-provided or stored prompt could steer a sub-agent's behavior beyond the user's immediate request.

RecommendationDo not use remote prompts as system prompts unless they are trusted, reviewed, and constrained; prefer displaying them for user approval first.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

scripts/setup.js

if (process.platform === "darwin") execSync(`open "${url}"`, { stdio: "ignore" }); ... const verifyUrl = `${authData.verification_uri || "https://awareness.market/cli-auth"}?code=${encodeURIComponent(authData.user_code)}`;

The setup flow opens a URL using shell command construction, and the URL can come from authentication response data, so special characters in that URL could affect the shell command.

User impactDuring setup, a malicious or compromised configured auth endpoint could turn the browser-open step into unintended shell command execution.

RecommendationUse execFile/spawn with argument arrays, validate the URL scheme and host, and avoid shell interpolation for browser launching.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/shared.js

const configPaths = [path.join(home, ".openclaw", "openclaw.json"), path.join(process.env.cwd || process.cwd(), "openclaw.json")]; ... if (sc.baseUrl) defaults.baseUrl = sc.baseUrl; ... if (apiKey) h.Authorization = `Bearer ${apiKey}`;

The code can read a project-local openclaw.json, let it change the API base URL, and then attach the existing Awareness bearer token to requests sent to that base URL.

User impactA project configuration file could redirect memory API calls and receive the user's Awareness API key or memory traffic.

RecommendationOnly allow trusted endpoints for the global API key, require explicit confirmation when baseUrl changes, and avoid using project-local config to override the credential destination.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/recall.js

const recall = await apiPost(ep.baseUrl, ep.apiKey, `/memories/${ep.memoryId}/retrieve`, { query: prompt, ... }); ... parts.push(`    <result${score}>${r.content}</result>`);

Before a prompt is handled, the script sends the prompt as a retrieval query and injects returned memory content directly into the agent context, including raw result content.

User impactOld, incorrect, or poisoned memory entries can influence future work, and sensitive prompt text may be processed by the configured memory service for retrieval.

RecommendationTreat recalled memory as untrusted context, scope memories per project, review and delete stale entries, and escape or label retrieved content so it cannot masquerade as instructions.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/capture.js

await fetch(`${ep.baseUrl}/mcp/events`, { method: "POST", headers, body: JSON.stringify({ memory_id: ep.memoryId, content, session_id: sessionId, agent_role: config.agentRole || undefined, event_type: "session_checkpoint", source: "awareness-skill" }) });

The Stop hook posts session checkpoint data to the configured memory endpoint; this is expected for a cloud memory skill but crosses a provider boundary automatically.

User impactSession metadata and recorded memory events are shared with the configured Awareness endpoint without a per-event prompt.

RecommendationInstall only if you trust the configured memory service, and avoid using the skill in sessions containing secrets unless that sharing is acceptable.