v2.5.13

ClawVault

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

ClawVault is a coherent memory tool, but it deserves careful review because it installs and runs persistent hook code that automatically reads, writes, and reuses agent session memory.

GuidanceInstall ClawVault only if you want persistent agent memory and automatic hook-based recovery. Before enabling the hook, review the installed handler, pin or verify package sources, choose a controlled vault location, understand that OpenClaw session transcripts may be read or modified, and configure Gemini only if you accept external transcript compression.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

npm install -g clawvault@latest ... npm install -g github:tobi/qmd

The setup uses global, unpinned package installs, including a GitHub package, for tooling that later runs as an OpenClaw hook; the registry install metadata is also absent, weakening provenance and version containment.

User impactA changed or compromised upstream package could run code inside the user’s agent environment after installation or hook enablement.

RecommendationPin package versions or integrity hashes where possible, review the installed hook source before enabling it, and ensure the registry metadata accurately declares required binaries and install steps.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

hooks/clawvault/HOOK.md

On heartbeat: Runs cheap threshold checks and observes active sessions when needed ... On weekly cron: Runs `clawvault reflect` every Sunday midnight (UTC)

The hook is designed to keep operating across gateway lifecycle events and scheduled cron, creating observations/reflections and other memory updates after it is enabled.

User impactThe skill can continue processing session activity and changing memory state in the background during normal OpenClaw operation.

RecommendationEnable the hook only if you want persistent automatic memory behavior, and disable or remove it when you do not want background observation, checkpointing, or reflection.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

hooks/clawvault/handler.js

import { execFileSync } from 'child_process'; ... SECURITY: Uses execFileSync (no shell) to prevent command injection

The hook executes local CLI commands; the provided code indicates no-shell execution, which reduces injection risk, but command execution remains a sensitive capability.

User impactThe hook can invoke local ClawVault actions automatically as part of OpenClaw events.

RecommendationReview the hook commands and keep automatic hook execution limited to trusted vaults and sessions.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

`GEMINI_API_KEY` — used by `observe` for LLM compression (optional, only if using observe features)

The optional API key is purpose-aligned for Gemini compression, but it grants provider access and potential billable usage.

User impactIf configured, the skill can make Gemini API calls using the user’s key.

RecommendationUse a dedicated, limited API key if possible, monitor usage, and do not configure the key unless you need observe compression.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

hooks/clawvault/HOOK.md

Injects up to 4 relevant context bullets into session messages

Vault memory is retrieved and inserted into future agent context, so stale or poisoned stored content can influence later tasks.

User impactOld, incorrect, or maliciously written memory entries could shape the agent’s future responses.

RecommendationTreat retrieved memory as reference material, periodically review the vault, and remove or quarantine untrusted memory entries.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

`observe --compress` makes LLM API calls (Gemini Flash by default) to compress session transcripts into observations

When observe compression is used, session transcript content may be sent to an external LLM provider.

User impactPrivate agent conversations or work context could leave the local machine if LLM compression is enabled.

RecommendationUse observe compression only when external processing is acceptable, redact sensitive transcripts first, and review provider retention and privacy settings.