Skillv2.6.5

ClawScan security

Memory Master · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 7:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (local memory, indexing, and write/recall), but its runtime instructions and shipped scripts give it broad authority to auto-modify your workspace files (AGENTS.md, MEMORY.md, HEARTBEAT.md) and to run actions after every response without declaring those config paths or requiring binaries—this mismatch and the automatic-write/auto-learn behavior warrant caution.
Guidance: This skill is coherent with its purpose (local memory and indexing) but it will actively modify your agent workspace (AGENTS.md, MEMORY.md, HEARTBEAT.md), create a backup folder, and recommends running a detect script after every response. Before installing: 1) Review the two included scripts (scripts/init.js and scripts/detect.js) yourself and confirm you trust them; 2) Back up ~/.openclaw/workspace (or set WORKSPACE to a sandbox) because init.js will rewrite AGENTS.md and MEMORY.md; 3) Be cautious about the "auto-write before every response" and "auto-learn (web search)" behaviors—if you want manual control, disable or modify those rules in the SKILL.md/templates before running init; 4) Note package.json signals an init script that requires Node even though the registry lists no required binaries—ensure your environment and policies allow running node scripts from this skill; 5) If you depend on external web-search tooling (tavily/web_fetch), verify how that will be invoked and what credentials (if any) it needs. If unsure, test the init script in an isolated workspace first.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (local memory, indexing, heuristic recall, auto-learning) align with the included files: templates, SKILL.md, and two Node scripts for init and compression detection. However, the skill will modify important workspace files (AGENTS.md, MEMORY.md, HEARTBEAT.md) and create ~/.openclaw/workspace/memory/ files, yet the registry metadata lists no required config paths or required binaries. That omission is unexpected because the scripts operate on a specific workspace path and package.json indicates an init script that requires Node.
Instruction Scope: concernSKILL.md and README explicitly instruct the agent to auto-write memory entries ("Before every response, quickly check... write immediately if new"), to run compression detection after every response, and to automatically migrate/modify AGENTS.md and MEMORY.md during initialization. Those instructions grant the agent broad discretion to read and overwrite user workspace files and to perform automatic web searches when knowledge is missing. This is outside a minimal passive memory-read scope and can cause persistent changes without per-action user confirmation.
Install Mechanism: noteThere is no remote download or installer—no install spec—so code is not fetched at install time. The package includes scripts/init.js and scripts/detect.js and package.json references an initScript and 'requiresNode'. Running these scripts (clawdhub init or node scripts/init.js) will perform file operations on the user's workspace. The absence of a declared install step or required binary (Node) in the registry metadata is an inconsistency to be aware of.
Credentials: noteThe skill declares no required environment variables or credentials, and the code does not exfiltrate secrets. It does, however, read the WORKSPACE env var (fallbacks to ~/.openclaw/workspace) and directly reads/writes files in that directory. That file-system access is reasonable for a local memory manager, but the registry metadata failing to surface that required config path is a transparency gap. The skill also references automatic 'network learning' flows in its instructions (mentions tavily/web_fetch), but does not require or declare credentials for any external service—meaning the network behavior depends on other agent skills or tools and is not controlled here.
Persistence & Privilege: concernThe skill does not request always:true, but its runtime rules instruct the agent to automatically write to disk before every response and to migrate/overwrite AGENTS.md and other workspace files during init. Because agents can invoke skills autonomously, this yields a significant ability to alter the agent's persistent behavior and configuration (AGENTS.md contains rules that are loaded every session). The combination of autonomous invocation + file-modifying instructions increases risk if you don't review/consent to changes.