Session Memory Flush
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent, but it needs review because it automatically reads and stores session memories, may send transcripts to an LLM provider, and its cron installer uses unescaped config values.
Install only if you want a background job to read visible OpenClaw session transcripts and store summaries for future sessions. Use a local/approved model for confidential content, review the generated memory files, avoid the cron fallback until quoting is fixed, and inspect the full watcher.py before deployment because the supplied source view is truncated.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On systems using the cron fallback, a malformed or malicious outputDir value could change what cron executes under the user's account and persist until the crontab is cleaned.
The output directory can come from an environment variable or openclaw.json and is inserted into a cron shell command without shell quoting or escaping.
OUTPUT_DIR="${SESSION_MEMORY_OUTPUT_DIR:-$(read_config_value output_dir)}" ... echo "*/$TIMER_MINUTES * * * * cd $SKILL_DIR && ... SESSION_MEMORY_OUTPUT_DIR=$OUTPUT_DIR $PYTHON_BIN watcher.py --once $CRON_MARKER" >> "$TMP_CRON"Quote or escape all cron values, validate outputDir as a safe path, or use a fixed wrapper script/env file instead of constructing a raw shell command in crontab.
Sensitive conversation details, preferences, tasks, or misleading/poisoned content from prior sessions could be retained and influence future agent behavior.
The skill automatically converts session transcripts into persistent memory that future sessions may load, including across multiple agent/session types.
扫描 `openclaw sessions --json` 当前可见的 session ... main / native subagent / cron / dreaming ... 摘要写入 memory markdown,供共享同一 workspace / 同一记忆文件加载链路的新 session 继续读取
Make this opt-in by workspace/session type, add retention and exclusion controls, review summaries before writing them, and treat generated memory as untrusted context.
Private session content may leave the local environment and be subject to the provider's security, logging, and retention policies.
Transcript data may cross a boundary from the local machine to the configured external model provider.
该 skill 会读取本机 OpenClaw session transcript,并优先使用当前用户 `openclaw.json` 中配置的模型提供商生成摘要;这意味着 transcript 可能会发送给用户自己配置的 LLM provider。
Use a local or approved internal model for confidential work, and only enable external summarization if provider data handling is acceptable.
The skill can use the user's configured model account and may incur provider usage or expose transcript data through that account.
The skill uses local model-provider credentials from OpenClaw config or environment variables, which is expected for its LLM summarization purpose but still sensitive.
`watcher.py` 只在运行时读取本机 `openclaw.json` 或环境变量中的 API key 用于请求模型,不会把 API key 写入 `state`、memory markdown 或日志。
Use least-privilege or dedicated provider keys where possible, and verify the full watcher.py implementation before installing because the provided watcher.py artifact is truncated.
The transcript summarizer will keep running periodically until disabled or uninstalled.
The installer creates a recurring user-level systemd timer or cron job that continues running after installation.
systemctl --user enable --now "$SERVICE_NAME.timer" ... echo "*/$TIMER_MINUTES * * * * cd $SKILL_DIR && ... $PYTHON_BIN watcher.py --once $CRON_MARKER" >> "$TMP_CRON"
Install only if you want ongoing background processing, and use uninstall.sh or remove the systemd timer/crontab entry when no longer needed.
A user relying only on registry metadata may not realize the skill has an installer and runtime prerequisites.
The metadata under-declares operational requirements compared with the included install.sh, which requires python3/openclaw and installs persistent scheduling.
Install specifications: No install spec — this is an instruction-only skill. Required binaries ... none.
Update metadata to declare required binaries and the installer behavior, and review install.sh before running it.