Soul Memory
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or outdated conversation details could be stored and later reused automatically in responses.
The skill automatically saves memory and injects retrieved memories into future prompts, which can carry sensitive or incorrect context across sessions.
Auto-Trigger | Pre-response search + Post-response auto-save ... `before_prompt_build` Hook for automatic context injection ... Inject into prompt via `prependContext`
Install only if you want persistent long-term memory; configure clear retention, deletion, and exclusion rules, and avoid saving secrets or sensitive personal data.
Users cannot tell what credential-like data may be accessed or required.
The declared credential contract says no credentials are needed, but the capability signal indicates sensitive credential access, without explaining which credentials or scope.
Required env vars: none ... Primary credential: none ... Capability signals: requires-sensitive-credentials
The publisher should document any credential, token, cookie, profile, or session access explicitly, including scope and storage behavior.
The memory system may keep running checks or updates in the background after installation.
The skill documents recurring automatic heartbeat execution, which is expected for this memory system but persists beyond a single explicit invocation.
每次 Heartbeat 時自動執行以下命令: `python3 /root/.openclaw/workspace/soul-memory/heartbeat-trigger.py` ... Heartbeat 檢查 | 每 30 分鐘左右
Review and disable heartbeat or cron jobs if you do not want automatic memory maintenance.
Running the installer can modify the local OpenClaw environment and enable plugin behavior.
Installation relies on a user-run shell script from a GitHub repository and installs an OpenClaw extension; this is disclosed and purpose-aligned, but it is outside the registry install spec.
git clone https://github.com/kingofqin2026/Soul-Memory-.git ... bash install.sh ... Plugin is automatically installed to ~/.openclaw/extensions/soul-memory
Inspect `install.sh`, the plugin manifest, and any cron changes before running the installer.