Skillv0.1.2

ClawScan security

Openclaw Deeprecall · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 3:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (two-tier persistent memory and summarization) but it reads OpenClaw configuration files (including system and parent directories) for API keys without declaring those credentials, and it permanently stores raw content in a database — these mismatches and privacy risks warrant caution.
Guidance: This skill appears to implement a legitimate two-tier memory and summarization system, but there are notable privacy and configuration mismatches you should consider before installing: - Credential access: The summarizer reads OpenClaw configuration files (e.g., ~/.openclaw/openclaw.json, /etc/openclaw/openclaw.json, workspace/openclaw.json) to obtain LLM provider baseUrl and apiKey. Even though the manifest does not declare required credentials, the code will try to read and use those API keys. If those files contain secrets you don't want shared with this skill, do not install or run it until you review or remove those keys. - Permanent storage: By default the tool stores raw session content in the L2 archive (memory.db) and the SKILL explicitly states those records are permanent and never deleted. If you have sensitive data in session .md files, disable raw storing (use --no-store-raw where possible), or ensure the DB is stored in an isolated location you control, or encrypt/remove L2 storage. - Cross-workspace access: Path detection searches parent directories and 'agents' structures and may find configs or memory directories belonging to other agents. Run this skill in an isolated workspace (or set OPENCLAW_WORKSPACE to a dedicated directory) and test with dry-run options first. - Test safely first: Use summarize --test-config and cleanup --dry-run to observe behavior. Consider setting deeprecall.summarizer.preferred_provider to a local/test provider or null to trigger rule-based extraction, and use --no-store-raw while testing. - Desired changes: Prefer that the skill explicitly declare it requires OpenClaw provider credentials (or require OPENCLAW_API_KEY env), and provide an option to disable L2 archiving permanently. If you cannot confirm those changes, treat installation as potentially exposing local OpenClaw credentials and persistent raw data.

Review Dimensions

Purpose & Capability: noteFunctionality (L1/L2 memory, summarization, cleanup) matches the name and description. However, the skill's metadata declares no required credentials while the summarizer explicitly requires an LLM API provider (baseUrl + apiKey) from OpenClaw configuration files; that credential requirement is documented in SKILL.md but not reflected in declared requirements, causing a mismatch.
Instruction Scope: concernSKILL.md instructs auto-registering tools and zero-config behavior which is consistent with the purpose. But the runtime code searches for OpenClaw config files in multiple locations (including /etc and parent directories) and will read those files to obtain API keys. The instructions and code therefore grant the skill access to local/system configuration and potentially other agents' workspaces, which is broader than a simple 'memory retrieval' operation and may expose unrelated secrets.
Install Mechanism: okNo network downloads or package installs are performed by an install spec (instruction-only install). The bundle includes Python scripts and a requirements.txt (aiohttp) but no installer that pulls remote artifacts; this is low-risk from an installation/execution provenance perspective.
Credentials: concernThe manifest declares no required environment variables or primary credential, yet the code reads OPENCLAW_WORKSPACE and scans for openclaw.json files to retrieve provider baseUrl and apiKey. That means local/system stored API keys (in ~/.openclaw, /etc/openclaw/, workspace parent, etc.) may be read and used — a credential access pattern not reflected in the skill metadata. Also the DB permanently stores raw content (L2) by default, which increases the sensitivity of stored data.
Persistence & Privilege: concernThe skill creates and writes a persistent memory.db (auto-created in discovered memory/ locations) and documents that L1/L2 records are permanent and never deleted. While always:false and no elevated platform flags are present, the permanent storage of raw content (and auto-registration/zero-config behavior) increases long-term data exposure and cross-agent leakage risk, especially because the code auto-detects parent/agents directories.