Skillv2.0.0

ClawScan security

Three Layer Memory + LanceDB Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:48 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (three-layer memory with LanceDB + embedding/rerank) is coherent, but there are mismatches and privacy/credential concerns (undeclared Jina API key, scheduled scripts that push conversation content to external systems) that you should resolve before installing.
Guidance: This skill generally does what it says (scheduled memory capture, summarization, and LanceDB integration), but before installing you should: (1) require the author to declare required env vars (e.g., JINA_API_KEY, any LanceDB endpoint/credentials) in the manifest so you can review them; (2) verify where embeddings and memory are sent — prefer self-hosted endpoints or explicit URLs; (3) inspect or run the memory-lancedb-pro plugin code to confirm it doesn't exfiltrate data to unknown hosts; (4) consider limiting which sessions get scanned (sensitive channels excluded) and implementing redaction rules; (5) run the scripts in a restricted account or sandbox first, and back up/openclaw.json before enabling plugin changes; (6) if you accept the credential use, set API keys with least privilege and rotate them regularly. The main risks are undisclosed credential usage and automated scheduled uploading of conversation content to external services — address those before proceeding.

Review Dimensions

Purpose & Capability: okName/description match the actual behavior: this is a local memory management strategy that integrates with a LanceDB plugin and an embedding/rerank service (Jina). The files and cron tasks align with the stated goal of hot/warm/cold memory management and scheduled summarization/compaction.
Instruction Scope: concernRuntime instructions and shipped scripts write to ~/.openclaw/workspace, create cron jobs, and append tasks to HEARTBEAT.md which will cause the agent to scan recent sessions and store/clean memory. That means user conversations will be programmatically collected and (per the design) sent to LanceDB and embedding/rerank services. The SKILL.md references commands like sessions_list, sessions_history, memory_recall, memory_store but does not define them—these are expected to come from the platform/plugins but give the skill broad discretion to read and process conversation history. There's no guidance about data minimization, redaction, or privacy controls.
Install Mechanism: okNo remote installers or downloads. The skill is instruction-only and provides local shell scripts the user is asked to copy into ~/.openclaw/shared and enable in cron. That is low install risk (no arbitrary network fetches), but it does establish persistent scheduled runs on the host.
Credentials: concernSKILL.md explicitly lists a prerequisite 'Jina API Key (embedding + rerank)' and requires the memory-lancedb-pro plugin, but the registry metadata lists no required env vars or primary credential. The missing declaration of required credentials is an incoherence. Requesting an embedding/rerank API key is plausible for this functionality, but it is sensitive: conversation content will likely be sent to external services (Jina, LanceDB). The skill gives no guidance about what endpoints are used, whether embedding calls go to a hosted service or self-hosted instance, or how to limit/exclude sensitive sessions.
Persistence & Privilege: noteThe skill does not set always:true and is user-invocable (normal). It installs cron jobs (persistent scheduled tasks) that will repeatedly append to HEARTBEAT.md to trigger agent actions — this is expected for a scheduled memory system but increases the blast radius because it causes autonomous, recurring collection and processing of conversation data. The skill also instructs modifying openclaw.json to enable a plugin, which is consistent with its function.