Skillv1.0.2

ClawScan security

Openclaw Memory Ollama · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 7:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files describe a coherent local-memory integration (Ollama + cognitive-brain + Postgres/Redis), but the runtime instructions require editing other skills' config and local credentials while the registry metadata declares no required env/paths — this mismatch and cross-skill modification are concerning.
Guidance: What to consider before using/installing: - The skill is instruction-only and appears to do what it claims (local memory using Ollama + cognitive-brain + Postgres/Redis), but the registry metadata does NOT declare the environment variables or config paths the docs require — review the docs carefully before supplying secrets. - The runtime steps tell you to edit files under ~/.openclaw and the cognitive-brain skill directory (config.json, scripts/embed.py) and to modify OpenClaw's openclaw.json. Back up those files before making changes and test in a non-production environment. - The cognitive-brain config will require Postgres DB credentials and access to Redis. Prefer using a dedicated local or test database, not a production DB. - The embedding script in the docs calls http://localhost:11434 (Ollama) — there are no obvious external network endpoints, but verify scripts for any unexpected outbound connections before running. - If you run the agent with autonomy, be aware the instructions imply cross-skill file edits; consider restricting the agent's file-system privileges or performing the edits manually rather than allowing automated changes. - If anything is unclear, ask the skill author for a clear list of required env vars, exact file paths, and an explicit checklist of changes so you can audit them beforehand.

Review Dimensions

Purpose & Capability: noteThe described purpose (local memory using Ollama + cognitive-brain + Postgres/Redis) is coherent with the instructions: the skill expects Ollama, a pgvector-enabled PostgreSQL, Redis, and the cognitive-brain skill. However, the registry metadata declares no required env vars, binaries, or config paths while the SKILL.md explicitly references several environment variables and specific config file locations (~/.openclaw and cognitive-brain workspace). The missing metadata is an inconsistency (documentation vs declared requirements).
Instruction Scope: concernSKILL.md and references instruct the user/agent to edit cognitive-brain's config.json and scripts/embed.py in ~/.openclaw/workspace-*/skills/cognitive-brain, restart OpenClaw gateway, and run verification commands. These instructions require reading and modifying files belonging to another skill and the OpenClaw installation, and expect DB credentials and local endpoints. While these actions are understandable for integration, they expand the agent's scope beyond a self-contained skill and could alter other skills' behavior.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code executed by the registry. That minimizes supply-chain risk from downloads or packaged binaries. The deployment instructions do recommend installing Ollama via brew (official source) and pulling models; nothing is downloaded from untrusted URLs in the provided docs.
Credentials: concernAlthough the registry lists no required environment variables, the docs instruct setting OLLAMA_API_KEY and OLLAMA_HOST and show cognitive-brain config fields that require a Postgres user/password and Redis connection. Requesting DB credentials and access to other local services is proportionate to running a local memory system, but the fact these credentials and config paths are not declared in the skill metadata is a mismatch and increases risk if users supply credentials without realizing the scope. The embedding script targets only localhost (Ollama) in the docs, not external endpoints.
Persistence & Privilege: concernalways:false and default autonomous invocation are fine. However, the instructions direct modifying other skills' configuration and the global OpenClaw config (~/.openclaw/openclaw.json), which amounts to cross-skill and system-wide changes. That level of access should be treated cautiously because it can alter agent behavior persistently.