Skillv1.0.0

ClawScan security

Smart Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 6:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (local JSON memory via shell scripts) but has a few mismatches and privacy risks you should understand before installing.
Guidance: This skill is coherent with its stated purpose (local JSON memory) but has privacy and small-declaration issues you should consider before installing: - Review the scripts before use. They run locally, but they expect 'jq' and other standard Unix tools; the registry metadata did not declare 'jq' as required. Install jq or confirm availability. - Be cautious about storing secrets. The skill explicitly suggests storing API keys and server addresses drawn from conversations. If you enable this, treat the memory directory like sensitive storage: restrict filesystem permissions, consider encrypting the directory, or disable storing credentials. - The stats/report command prints the first ~60 characters of memory values. That can leak secret fragments — remove or modify that output if you care about privacy. - Soft-delete keeps items in archive for 30 days. If you need immediate, irreversible deletion for sensitive items, test 'purge' and confirm behavior meets your policy. - Follow principle of least privilege: set OPENCLAW_MEMORY_DIR to a controlled location, verify file permissions, and run 'memory-manager.sh init' manually to inspect created files. Consider disabling automatic inference/storage until you have explicit consent rules implemented. If you want a green light: have the author declare 'jq' as a required binary, remove value snippets from reports or mask them, add explicit opt-in for storing credentials, shorten retention for sensitive items or add encryption, and re-run a review.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (local persistent memory) matches the included scripts and instructions: everything reads/writes JSON under ~/.openclaw/smart-memory and uses shell/jq. However the metadata claims no required binaries while the scripts explicitly require 'jq' (and use standard tools like stat, du, bc). That undeclared dependency is an incoherence.
Instruction Scope: concernSKILL.md instructs the agent to automatically extract and store a wide range of information, including 'technical context: server addresses, API keys (stored locally only)'. That is within a memory feature but expands scope to storing highly sensitive secrets. Also the reporting script (memory-stats.sh) prints snippets of stored values (value[:60]) in its report, which contradicts the 'No sensitive data in logs' rule in the doc and can leak secret fragments to anyone who can run/view the report.
Install Mechanism: okThere is no download/install step — the skill is instruction + included local scripts. No external URLs or archive extraction are involved, so install risk is low. The scripts will run locally when invoked.
Credentials: concernThe skill declares no required environment variables but the code honors OPENCLAW_MEMORY_DIR if set and requires 'jq' (not declared). More importantly, the skill encourages storing API keys and server addresses drawn from conversation — that increases the sensitive data footprint without requiring explicit credentials. Retention/archival (soft-delete with 30-day archive) and automatic daily maintenance increase the time sensitive data is kept.
Persistence & Privilege: notealways:false (good). The SKILL.md defines a daily heartbeat/maintenance action; combined with the normal autonomous invocation this means the agent can run maintenance and access local memories automatically. This is not unusual, but it increases the blast radius when combined with the ability to store secrets.