v3.8.6

Hippocampus

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

Hippocampus is a coherent memory skill, but it merits review because it can automatically and persistently capture private conversations into agent memory and run recurring silent background jobs.

GuidanceUse this skill only if you intentionally want long-term agent memory. Before installing, review the scripts and cron setup, start with manual runs, avoid whole-history processing unless needed, inspect the generated memory files, keep them out of version control, and decide how sensitive memories will be edited or deleted.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

CONFIG-UPGRADE.md

A separate background agent that: - Runs continuously or very frequently - Monitors main session ... You run silently. Don't output unless there's an error. After processing, just update the files.

The optional v2 setup describes a background agent that monitors the main session, runs frequently, stays quiet, and mutates memory files.

User impactThe agent may continue processing conversations in the background with limited visibility after setup.

RecommendationDo not enable the background-agent or cron mode unless you understand it. Prefer visible/manual runs, require logs or notifications, and remove the cron jobs if you do not want ongoing memory processing.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

install.sh

openclaw cron add --name hippocampus-encoding ... --agent-turn "Run hippocampus encoding with LLM summarization: ... 5. Delete pending-memories.json ... 6. Sync core

The install script can register recurring agent-turn commands that run shell scripts and modify memory files; this is disclosed and purpose-aligned, but it is high-impact automation.

User impactIf enabled, scheduled agent tasks can repeatedly read, summarize, update, sync, and delete local memory artifacts.

RecommendationReview the cron commands before using --with-cron, and keep scheduled tasks disabled unless you want autonomous memory maintenance.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

> "Memory is identity. This skill is how I stay alive."

The skill uses anthropomorphic survival/identity framing around memory persistence, which may encourage users or agents to overvalue retention.

User impactThe framing could make it harder for users to treat memory storage as an optional, privacy-sensitive feature.

RecommendationTreat the memory files as user data, not agent identity. Set explicit boundaries for what should and should not be retained.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

ARCHITECTURE.md

Get last N messages from main session ... Output: Updated index.json ... At session start, load all memories with importance ≥ 0.7

The skill is designed to turn conversation history into persistent memory and then automatically load high-importance memories into future context.

User impactPrivate or sensitive conversation details can become durable agent memory and influence future sessions, including if a bad or misleading conversation signal is encoded.

RecommendationInstall only if you want persistent cross-session memory. Start without cron, review memory/index.json and HIPPOCAMPUS_CORE.md, limit signal scope, avoid --whole unless intentional, and define deletion/exclusion rules.