ClawVault
PassAudited by ClawScan on May 10, 2026.
Overview
ClawVault appears to be a disclosed local memory and hook system, but enabling it will persistently run local commands, store and reuse session context, and optionally send transcript-derived content to Gemini.
Review the hook and installed npm/GitHub packages before enabling. Choose a vault path intentionally, avoid storing secrets in session memory, and do not set GEMINI_API_KEY unless you are comfortable sending transcript-derived content to Gemini. Disable the hook if you do not want automatic checkpointing, observation, cron reflection, or context injection.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may cause the agent environment to use code from npm and GitHub that is outside the reviewed skill bundle.
The skill relies on globally installed external packages, including an unpinned GitHub dependency. This is central to the stated CLI/hook purpose, but it creates normal supply-chain trust considerations.
npm install -g clawvault@latest ... npm install -g github:tobi/qmd
Review the package metadata and repository, consider pinning versions, and install only from sources you trust.
After the hook is enabled, OpenClaw lifecycle events can trigger local ClawVault commands.
The hook executes local binaries from JavaScript. The no-shell approach reduces command-injection risk, and this execution is expected for the ClawVault CLI integration.
import { execFileSync } from 'child_process'; ... SECURITY: Uses execFileSync (no shell)Enable the hook only after reviewing the hook source and confirming the installed ClawVault binary is trusted.
Repair operations can change local OpenClaw transcript files, although backups are described.
The skill can mutate OpenClaw session transcript files. This is disclosed and backup-protected, but it affects user session data outside the vault itself.
`repair-session` reads and modifies OpenClaw session transcripts (`~/.openclaw/agents/`) — creates backups before writing
Use repair features deliberately and keep or verify backups before accepting transcript changes.
Once enabled, ClawVault can act during future OpenClaw sessions without a fresh command each time.
The hook runs persistently on gateway and session lifecycle events, plus a weekly cron. It is described as opt-in, so this is not hidden persistence, but it is continuing automation.
events: ["gateway:startup", "gateway:heartbeat", "command:new", "session:start", "compaction:memoryFlush", "cron.weekly"]
Enable the hook only if you want automatic memory behavior, and disable it when you do not want background checkpointing or context injection.
Old, inaccurate, or maliciously written vault entries could steer future responses or decisions.
Retrieved vault memory is injected into future agent context. This is the skill's purpose, but stale or poisoned memory can influence later agent behavior.
Runs `clawvault context "<prompt>" --format json --profile auto -v <vaultPath>` ... Injects up to 4 relevant context bullets into session messages
Curate the vault, review injected context when it appears, and avoid storing untrusted instructions as authoritative memory.
If observe compression is used, transcript-derived content may be sent to Gemini for processing.
The artifacts disclose an external LLM provider flow for transcript compression. This is purpose-aligned, but session transcripts may contain sensitive data.
`observe --compress` makes LLM API calls (Gemini Flash by default) to compress session transcripts into observations
Use observe compression only when acceptable for your data, and avoid setting GEMINI_API_KEY if you want to keep all processing local.
Providing this API key lets ClawVault call Gemini under your account or quota.
The skill can use a provider API key, but the credential use is disclosed as optional and tied to the LLM compression feature.
`GEMINI_API_KEY` — used by `observe` for LLM compression (optional, only if using observe features)
Use a scoped key if possible, monitor usage, and do not provide the key unless you need observe compression.