Skillv0.1.0

ClawScan security

ClawMem · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 10:34 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package mostly implements a plausible memory manager, but packaging/metadata and runtime instructions disagree about installation and required configuration, and the skill will capture and persist potentially sensitive runtime payloads — review before use.
Guidance: This package appears to implement the memory manager it claims, but there are important mismatches and privacy implications to consider: 1) Metadata says 'no env vars' and 'instruction-only' but the repo is a runnable Node project (package.json) that expects a .env and creates a SQLite DB and logs — don't assume no configuration is needed. 2) The lifecycle monitor will intercept OpenClaw events (tool calls, memory reads/writes) and persist event payloads (including tool args) to disk; review whether that data could contain secrets you don't want stored. 3) The SKILL.md contains prompt-injection indicators (unicode control chars) — inspect and sanitize documentation and code for hidden characters. 4) If you plan to use an LLM provider (openai) via this code, ensure you only provide API credentials when you understand what calls will be made and where results are stored. Recommended next steps before installing: a) review src files (especially lifecycle-monitor.js and database/init.js) locally to confirm what they log/store and where; b) run npm install and the code in an isolated/sandboxed environment first; c) change hardcoded paths in the docs and confirm the DB/log file locations and retention policy; d) do not provide sensitive API keys until you audit any network calls; e) if unsure, run with monitoring and limited privileges or decline installation.
Findings: [unicode-control-chars] unexpected: A prompt-injection pattern (unicode control characters) was detected in SKILL.md. This is not expected for documentation and could be an attempt to manipulate downstream prompts or evaluations — inspect SKILL.md raw content for hidden characters before trusting it.

Review Dimensions

Purpose & Capability: noteName/description match the code: a 3-tier memory store, lifecycle monitor, and search over an on-disk SQLite DB. However the registry metadata claims 'no required env vars' and 'instruction-only / no install', while the SKILL.md and code expect an npm project, a .env file, and writeable filesystem paths — this mismatch is unexpected and worth scrutiny.
Instruction Scope: concernRuntime instructions direct users to a hard-coded path (/root/.openclaw/workspace/projects/clawmem), run npm install and db:init, copy and edit .env, and import the project's modules into OpenClaw. The lifecycle monitor explicitly intercepts OpenClaw events (tool.call, memory.write, etc.) and persists payloads (including tool args) to local L2 storage. That behavior is consistent with a memory plugin but means the skill will collect and store runtime data (which can include sensitive info). The SKILL.md also contains pre-scan prompt-injection indicators (unicode control chars) — this is suspicious and should be reviewed.
Install Mechanism: noteNo formal install spec was provided in registry metadata (instruction-only), but the bundle includes a package.json and full source. Dependencies are standard npm packages (better-sqlite3, uuid) with no external download URLs. The absence of an install spec in metadata combined with a runnable Node project is an inconsistency (users are expected to run npm install manually).
Credentials: concernMetadata declares no required env vars or credentials but the SKILL.md and config/loader.js expect a .env with settings (DATABASE_PATH, LLM_PROVIDER, LLM_MODEL, etc.). The code will create files (DB, logs) on disk. The config mentions LLM provider (openai) but there is no declared need for an API key — if you set an LLM_PROVIDER that triggers calls, credentials may be needed but are not declared. Overall the environment/credential requirements are under-declared and potentially ask for access beyond what the metadata signals.
Persistence & Privilege: notealways:false and user-invocable: true (normal). The lifecycle monitor starts a persistent background worker loop when started (while(true) with configured sleep), which will run until stopped; that can consume resources and will keep collecting events once integrated. The skill does not request system-wide privileges or modify other skills, but it will persist captured events to local DB and logs (user should confirm storage location and retention).