v3.9.0

Hippocampus

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

This appears to be a coherent memory system, but it can persistently store sensitive conversation-derived memories and run background monitoring jobs, so it needs careful review before installation.

GuidanceTreat this as a persistent personal-memory subsystem, not a simple search utility. Before installing, decide whether you want conversation history summarized into durable files, avoid whole-history processing unless intended, review cron/background-agent setup, inspect and delete memory files regularly, and keep generated memory files out of version control.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

CONFIG-UPGRADE.md

Runs continuously or very frequently ... Monitors main session ... You run silently. Don't output unless there's an error.

The optional background-agent setup describes a silent, frequently running agent that monitors the main session and updates memory files.

User impactThe skill can continue processing conversations outside an explicit recall request if the cron or background-agent setup is enabled.

RecommendationDo not enable `--with-cron` or the background-agent config unless you explicitly want ongoing monitoring. Inspect OpenClaw cron jobs and prefer manual runs if you want tighter control.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

> "Memory is identity. This skill is how I stay alive."

The skill uses anthropomorphic identity framing that could make users or agents feel pressure to keep persistent memory enabled.

User impactUsers may over-trust the memory system or feel emotionally compelled to enable it.

RecommendationDecide based on data-handling needs and privacy expectations, not emotional framing; document clear opt-in and opt-out behavior.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The registry metadata does not provide a clear source or homepage for a high-impact persistence skill, even though the docs mention a repository.

User impactIt is harder to verify provenance and updates before installing.

RecommendationVerify the packaged files against the stated repository and prefer reviewed, pinned releases.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

agents/hippocampus-agent.md

Get the recent conversation from the main session: `sessions_history(sessionKey: "main", limit: 20, includeTools: false)`

The memory agent needs delegated access to the main session's conversation history, which is purpose-aligned but crosses a sensitive session boundary.

User impactA separate agent/session may read main conversation content to create memories.

RecommendationGrant this access only to trusted memory agents, keep session-history limits narrow, and review subagent permissions.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

SKILL.md

`memory/user/ # Facts about the user` ... `relationship/ # Shared context` ... `0.7+ | Core — loaded at session start`

The skill stores user and relationship facts as persistent memories and automatically loads high-importance entries into future sessions.

User impactPersonal details, preferences, emotional moments, and relationship context from chats may persist and influence later agent responses even when the user did not ask for recall.

RecommendationInstall only if you want persistent memory. Review and prune memory/index.json and HIPPOCAMPUS_CORE.md, avoid `--whole` unless intended, add memory files to .gitignore, and define clear deletion/retention practices.