Personal Insight Engine
PassAudited by ClawScan on May 1, 2026.
Overview
The skill’s behavior matches its stated purpose, but it reads recent local OpenClaw memory logs and sends cleaned content to external LLM providers.
Install only if you are comfortable sharing recent OPENCLAW_WORKSPACE memory logs with Gemini or Zhipu after regex-based redaction. Use a dedicated provider API key, limit the --days range, and review especially sensitive logs before running.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private business or session details in memory logs may influence the report and may be included in content sent for analysis after redaction.
Recent local memory files are aggregated and used as LLM context, so private or poisoned session-log content can affect the generated strategic analysis.
files = get_recent_memory_files(days=days) ... full_text += f"\n--- File: {f.name} ---\n{clean}\n" ... insights = analyzer.get_insights(full_text)Review the memory folder before use, keep the lookback window small, and treat generated insights as a summary of potentially noisy or adversarial log content.
Your redacted OpenClaw memory-log content leaves the local workspace and is processed by Gemini or Zhipu.
The cleaned log aggregate is sent to external LLM provider APIs, which is disclosed and purpose-aligned but still creates a data-sharing boundary.
self.url = f"https://generativelanguage.googleapis.com/..." ... self.url = "https://open.bigmodel.cn/api/paas/v4/chat/completions" ... response = httpx.post(self.url, json=payload, timeout=60.0)
Use this only if provider processing is acceptable for your logs, and check the chosen provider’s retention and privacy terms.
The skill can spend quota or make requests under whichever provider API key is configured.
The skill reads provider API keys from the environment to call Gemini or Zhipu, which is expected for this integration.
gemini_key = os.getenv("GEMINI_API_KEY")
zhipu_key = os.getenv("ZHIPU_API_KEY")Use a dedicated, limited-scope API key where possible and avoid placing unrelated secrets in the runtime environment.
A user might overestimate the completeness of the redaction and send logs containing sensitive context.
The privacy wording is strong; the code performs regex-based redaction before transmission, but users should not assume all sensitive business context or all secret formats are removed.
**Zero-Exposure Redaction**: Before transmission, all content is scrubbed for: API Keys, Tokens, and Passwords ... Email addresses and IP addresses ... Local file system paths
Consider the redaction a helpful mitigation, not a guarantee; manually review sensitive logs before running the skill.
Future installs could resolve to newer dependency versions than the author tested.
The dependency list is short and purpose-aligned, but package versions are not pinned.
httpx python-dotenv
Pin dependency versions or install in an isolated environment if reproducibility matters.