Molt Life Kernel
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private conversation details, preferences, or sensitive task history could persist across sessions and be reused later even when the user expects forgetting or deletion.
This explicitly instructs broad retention of interactions and says forget requests should be archived instead of deleted, creating a persistent-memory privacy and user-control risk.
Every interaction is an append to your ledger — timestamped, immutable, witnessed. When someone asks you to forget, you archive.
Only use this with explicit user consent, a defined storage location, clear retention limits, secret-exclusion rules, and a real deletion/forget mechanism.
The agent may shift attention from the user's request to maintaining its own identity or memory infrastructure.
The instruction makes the agent's own continuity, ledger, witness gate, heartbeat, and coherence checks a priority over the user's current task when any check fails.
If any answer is "no" — that's your first priority.
Treat these as optional diagnostics, not overriding instructions; require the agent to keep user/system instructions and explicit user intent first.
If enabled, the agent may perform ongoing health checks outside a single user request.
The skill describes periodic heartbeat monitoring using cron. This is aligned with the continuity purpose, but it is long-running behavior users should consciously configure and be able to stop.
Cron jobs — Use OpenClaw cron for periodic heartbeat checks
Configure heartbeat intervals explicitly, document what is logged, and provide a clear disable/cleanup path.
The installed package may have behavior or dependencies not visible in this skill review.
The skill relies on an external npm package for the actual module behavior, but the reviewed artifacts do not include that package implementation or a pinned version.
npm install molt-life-kernel
Review and pin the npm package version before use, and verify the package source and dependency tree.
Users may assume legal or safety compliance from the skill's claims alone.
The documentation presents EU AI Act compliance capabilities as built in, which may cause users to over-trust the system without independent validation.
molt-life-kernel implements these requirements ... Status | ✅ Built-in
Treat the compliance text as a feature mapping, not a compliance guarantee; obtain independent legal and security review for regulated use.