OpenClaw Memory Resilience
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only memory skill is coherent, but it encourages silent durable memory writes, searchable long-term logs, and credential-related content in agent memory, so users should review it before applying it globally.
Use this skill only if you want persistent agent memory and understand that saved notes may survive across sessions. Before applying it globally, remove or rewrite any guidance that would store raw credentials, add rules for what the agent may save, review memory files periodically, and prefer per-workspace or per-agent rollout.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private details, mistakes, or stale instructions could be saved and later reused without the user seeing exactly what was written.
This describes automatic, non-visible memory writes at compaction time; without review or exclusions, sensitive or incorrect conversation context can be persisted.
OpenClaw injects a silent turn that prompts the agent to save important context to disk. The user never sees this turn. The `NO_REPLY` token in the prompt suppresses delivery.
Add explicit allow/deny rules for what may be saved, review memory files regularly, and avoid silent auto-flush in sensitive workspaces unless users accept that behavior.
Information from old conversations may remain searchable long after the original session, including information the user did not intend to preserve.
The skill proposes durable, append-only session logs that remain searchable after archival, but it does not specify deletion, retention, or sensitive-data filtering controls.
`memory/YYYY-MM-DD.md` — raw session logs. Append-only. The pre-compaction flush writes here. Archive after ~2 weeks. ... Archived files remain fully searchable via `memory_search`
Define retention and deletion policies, exclude secrets and sensitive personal data, and index only approved memory paths.
If users store raw secrets or access details there, the agent may read and reuse them in every session, increasing exposure and misuse risk.
The documentation recommends placing credential-related information in persistent agent-accessible files, but does not limit this to non-secret references or describe secret-management safeguards.
TOOLS.md — Environment: SSH hosts, services, credentials map ... MEMORY.md — curated, compact, durable facts. Credentials, infrastructure, decisions, preferences.
Do not store raw credentials in memory files; store only references to a secret manager, keep file permissions tight, and separate sensitive access details from general agent memory.
All agents in the workspace may start saving memory, adding footers, or resetting based on thresholds, which may surprise users if applied wholesale.
A single recommended configuration can affect all agents and future responses, including per-response status calls and automatic reset behavior; this is disclosed and purpose-aligned, but broad.
Apply via `gateway config.patch`. This is a global default — applies to all agents ... Add to every agent's SOUL.md ... **Every response:** fetch live status via `session_status` ... Auto-clear: **85% context** OR **6 compactions**
Apply the configuration per-agent or in a test workspace first, and require confirmation before reset or clear actions if disruption matters.