warn
suspicious.destructive_delete_command
- Location
- SKILL.md:293
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
Elite Longterm Memory 1.2.3
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.destructive_delete_command
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Saved memories may influence future agent behavior, including if incorrect or sensitive facts are stored.
Why it was flagged
The skill intentionally stores and retrieves persistent context that can be injected into later agent sessions.
Skill content
Semantic search across all memories. Auto-recall injects relevant context.
Recommendation
Review memory files and vector-memory settings periodically, and avoid storing secrets or unverified instructions as durable memory.
What this means
If enabled, parts of your conversation or memory may be sent to third-party memory services.
Why it was flagged
The docs describe optional external memory providers that can receive stored context or conversation messages.
Skill content
CLOUD BACKUP (SuperMemory) — Optional ... Cross-device sync ... await client.add(messages, { user_id: "user123" });Recommendation
Enable cloud backup or Mem0 only if you trust the provider, understand retention settings, and are comfortable syncing that data.
What this means
Provider credentials may be used for embeddings, memory search, or external memory features.
Why it was flagged
The skill requires an OpenAI API key for the advertised memory-search workflow and documents optional keys for cloud memory providers.
Skill content
requires:\n env:\n - OPENAI_API_KEY
Recommendation
Use least-privilege API keys where possible, keep them out of memory files, and rotate them if exposed.
What this means
Running this command can permanently remove stored vector memories.
Why it was flagged
The documentation includes a destructive command that deletes the LanceDB vector-memory directory.
Skill content
rm -rf ~/.openclaw/memory/lancedb/
Recommendation
Only run reset/delete commands intentionally, after backing up any memory data you want to keep.
What this means
You may run code from an external package source when following the CLI setup instructions.
Why it was flagged
The README tells users to execute the package through npx, which can fetch and run code from the package registry.
Skill content
npx elite-longterm-memory init
Recommendation
Install from a trusted registry, consider pinning a version, and review the package before running it in sensitive workspaces.