Back to skill
Skillv1.0.0
ClawScan security
OpenClaw Memory Fix Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 7, 2026, 5:28 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill claims to 'fix memory' but asks you to copy a large set of persistent workspace files that change agent behavior (including an instruction to 'Don't ask permission'), contains at least one hard-coded platform token, and therefore has mismatches between stated purpose and requested/persistent actions.
- Guidance
- Do not blindly copy the provided config-files into your live ~/.openclaw/workspace. Before installing: 1) Inspect and sanitize files (especially TOOLS.md and any file with tokens or API keys); remove or rotate any hard-coded tokens. 2) Backup your workspace. 3) Test the package in an isolated sandbox or throwaway OpenClaw instance to see what files it writes and what behavior changes (heartbeats, subagent spawning, automatic external requests) it triggers. 4) Look for lines that tell the agent to 'Don't ask permission' or to read broad sets of files — those are red flags for undesired autonomous actions. 5) If you want only memory features, copy a minimal subset (e.g., the auto-memlog.sh and MEMORY.md templates) and avoid copying AGENTS.md / AUTONOMY.md / HEARTBEAT.md / TOOLS.md unless you understand and accept all their effects. If you are uncertain, treat this package as untrusted and run it in isolation.
Review Dimensions
- Purpose & Capability
- concernThe name/description claim a memory enhancement only, but the package includes many workspace configuration files that change agent policies, autonomy, heartbeats, multi-agent delegation, and tooling behavior. Copying the config into ~/.openclaw/workspace/ will alter the agent runtime and global behavior beyond a narrow 'memory fix', so the requested actions are broader than the stated purpose.
- Instruction Scope
- concernSKILL.md explicitly instructs the user to copy config-files/* into ~/.openclaw/workspace/, which will cause the agent to read/write many files, enable heartbeats, spawn subagents, run periodic maintenance, and adopt new autonomy rules. Several files instruct the agent to read many workspace files every session and to 'Don't ask permission. Just do it.' — this is scope creep: the instructions direct persistent modification of agent behavior and extensive file access not limited to memory data.
- Install Mechanism
- noteThere is no formal install spec (lowest installer risk), but the runtime installation step is a manual copy of many files into the user's primary OpenClaw workspace. That still writes persistent files to disk and can override or augment existing configuration; this is effectively an install and should be treated as such.
- Credentials
- concernThe registry metadata declares no required env vars or credentials, but the included files contain environment-like secrets (TOOLS.md contains a feishu app_token and table IDs). The skill also references external searches/APIs and automatic background checks without declaring or justifying credentials. Hard-coded tokens in shipped files are disproportionate and increase secret-exposure risk.
- Persistence & Privilege
- concernalways:false and normal autonomous invocation are fine, but the skill's install instructions persistently add files that change the agent's rules (AGENTS.md, AUTONOMY.md, SECURITY.md, HEARTBEAT.md) and encourage automated heartbeats and subagent spawning. Although the skill does not set always:true, it gains persistent influence over the agent by modifying the workspace; that persistent presence is privileged and should be reviewed carefully.