Skillv1.0.0

ClawScan security

Openclaw Memory Fix · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 3:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its name says (local memory organization scripts + docs) but the package contains surprising instructions and hard-coded configuration (including a Feishu token and cloud-backup guidance) that are disproportionate to a simple 'memory fix' and merit caution.
Guidance: This skill contains mostly benign local scripts (node memory.js and a shell logger) and a large set of policy/docs describing an agent's memory behaviors. However: 1) TOOLS.md contains a hard-coded Feishu app_token—treat that as a leaked secret and remove/rotate it before using the skill. 2) Several files instruct the agent to read many workspace files every session and to run periodic heartbeats/backups (including cloud push instructions). Decide whether you want automatic background reads/writes and cloud backups; if not, disable or remove those doc-driven behaviors. 3) The executable scripts included are simple and local, but the prose implies network/cloud operations that are not implemented in the scripts—ask the author to clarify which parts run automatically and which are just proposals. Recommended next steps before installing: inspect and remove any hard-coded credentials, run the skill in a sandboxed workspace (not your real HOME), disable autonomous invocation or require explicit confirmation for any background/remote actions, and verify the author/source (the registry metadata is sparse). If author identity or an upstream release page confirms the Feishu token is a placeholder and backup behavior is opt-in, that would reduce concern; otherwise treat this as risky to run on a production/home workspace.

Review Dimensions

Purpose & Capability: concernName/description match included scripts (node-based memory status/migrate/preview) and many documentation files about a layered memory system. However several artifacts don't align with a minimal 'memory optimizer': a hard-coded Feishu app_token appears in TOOLS.md, extensive docs describe automatic cloud backups (iCloud/Drive) and keychain usage, and AGENTS.md directs the agent to read many workspace files automatically. Those items go beyond a small local memory tool and are not justified by the stated purpose.
Instruction Scope: concernSKILL.md and many config files instruct the agent to read a long list of workspace files every session (SOUL.md, USER.md, MEMORY.md, etc.) and to run periodic heartbeats/maintenance (memory-decay, backups). AGENTS.md even says 'Don't ask permission. Just do it.' This grants broad, automatic file access and background behavior not expressed in the simple CLI examples. The included scripts themselves are benign and local, but the prose directs behavior that would read/write many user files and schedule background tasks.
Install Mechanism: okNo install spec; this is instruction-plus-scripts only and requires Node on PATH. No remote download or archive extraction is present, which reduces supply-chain risk.
Credentials: concernThe skill declares no required env vars, which is appropriate, but the repository contains: a hard-coded Feishu app_token in TOOLS.md (sensitive secret), instructions to push encrypted backups to cloud providers, and references to Keychain and .env checks. Those references and the embedded token are not justified by the simple local memory CLI and suggest either leftover test data or inadvertent leakage of credentials—both are red flags.
Persistence & Privilege: concernalways:false (good), but documentation encourages automatic heartbeats, regular background backups to cloud, and automatic reading/updating of many workspace files. If the agent is allowed to run autonomously, this skill's docs effectively instruct it to perform broad periodic file reads/writes and to upload backups to cloud storage—behavior that increases blast radius if the agent is permitted autonomy. The code provided does not itself implement cloud upload, but the docs describe it as part of normal operation, creating a mismatch.