Total Recall
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Total Recall is a coherent memory tool, but it automatically watches your OpenClaw conversations, sends them to an LLM, and persists the results into future agent context.
Install only if you are comfortable with an autonomous memory system reading your agent transcripts, summarizing them through a configured LLM provider, and loading the resulting notes in future sessions. For sensitive work, use a local/private model, start Dream Cycle in read-only mode, manually review observations.md, protect API keys, and enable cron/watchers only after you understand how to stop or remove them.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private conversations, secrets, business details, or personal information discussed with the agent may be sent to the configured LLM provider on a recurring basis.
The skill automatically processes raw conversation transcripts through an LLM provider, with OpenRouter as the default endpoint. The artifacts do not show redaction or per-run approval for sensitive transcript content.
Observer reads recent session transcripts (JSONL), sends them to an LLM, and appends compressed observations to `observations.md` ... `LLM_BASE_URL` | `https://openrouter.ai/api/v1`
Use a local/private LLM endpoint for sensitive work, add redaction and exclusion controls, document provider retention, and require explicit opt-in before enabling automatic transcript processing.
A mistaken or maliciously induced memory could cause the agent to remember false preferences, rules, or facts across sessions, and private information may remain in persistent files.
Auto-generated observations are persisted and then loaded into future agent context. If the observer records incorrect, sensitive, or adversarial instructions as memory, they can influence later sessions.
Observer reads recent session transcripts ... appends compressed observations to `observations.md` ... `At session startup, read memory/observations.md for cross-session context.`
Treat generated memories as untrusted until reviewed, keep them in a clearly user-editable file, avoid loading them as high-priority system instructions, and provide easy audit/delete controls.
The skill can continue watching session files, invoking LLM calls, consuming provider credits, and writing memory even when the user is not actively running it.
The skill is designed to keep operating through cron, a daemon-style watcher, and compaction hooks after setup, not just when manually invoked.
Layer 1: Observer (cron, every 15 min) ... Layer 4: Reactive Watcher (inotify daemon, Linux only) ... Layer 5: Pre-compaction hook
Make each background trigger explicitly opt-in, provide clear stop/uninstall commands, log every run, and let users disable watcher, cron, and compaction hooks independently.
A bad classification or LLM error could alter the memory file that future sessions rely on, spreading stale or wrong context across later interactions.
The Dream Cycle prompt defaults to write mode, allowing automated archival and updates to persistent memory unless a safer mode is explicitly set.
`READ_ONLY_MODE=false` -> full write mode ... Default assumption if not specified externally: `READ_ONLY_MODE=false`.
Default Dream Cycle to read-only, require human approval for live writes, and keep backups plus a simple rollback path visible to users.
During compaction, the agent may prioritize memory preservation actions over ordinary interaction and may write notes without a visible response.
The compaction hook deliberately gives the agent forceful instructions to run a command, write memory, and suppress a normal reply. This is purpose-aligned but should remain tightly scoped.
IMPORTANT: Context is nearing compaction. You MUST preserve important information ... exec: bash ~/your-workspace/skills/total-recall/scripts/observer-agent.sh --flush ... Reply with NO_REPLY after writing.
Keep this instruction only in the compaction hook, avoid adding it to the global system prompt, and make the hook’s writes auditable.
Anyone with access to the environment or cron configuration could potentially use or leak the LLM provider key.
The skill needs provider credentials for its stated LLM summarization purpose. The artifacts do not show hardcoded keys or unrelated credential use, but users must protect the key.
`OPENROUTER_API_KEY` | (required) | OpenRouter API key for LLM calls ... `LLM_API_KEY` | falls back to `OPENROUTER_API_KEY`
Use a scoped/low-limit provider key, store it outside shared files, prefer a local endpoint for private data, and rotate the key if logs or configs are exposed.