Skillv1.0.0

ClawScan security

Auto Memory Distiller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 4:44 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are mostly consistent with its stated purpose (distilling conversations) but the package metadata omits required credentials and the skill will transmit raw conversation data to an external model provider and create persistent traceable files — this combination and metadata mismatch merit caution.
Guidance: Before installing or enabling this skill, consider the following: - It will read your conversation logs from ~/.openclaw/agents/main/sessions/*.jsonl and send those conversations to Google's Gemini API for processing. Any secrets or personal data in those conversations will be transmitted to an external service even though the prompt instructs the model to redact secrets — that is not a guaranteed client-side safe filter. - The registry metadata does not declare the GEMINI_API_KEY requirement or the config paths the code uses; treat that omission as a red flag and verify the behavior yourself. - The script writes Markdown topic files and a state.json in ~/.openclaw/workspace/, and it embeds filesystem paths/line numbers pointing back to raw session files — this can make raw data easier to find and expose. - Mitigations: (1) Run the script manually for testing rather than enabling automatic runs; (2) inspect the session JSONL files to ensure they contain no sensitive info before sending; (3) prefer using a dedicated, limited-scope API key and monitor its usage; (4) consider adding client-side redaction (remove/replace API keys, PII) before sending content to the model; (5) lock down file permissions on ~/.openclaw/workspace and the .env file; (6) if organizational policy forbids sending conversation contents to third-party models, do not enable this skill. If you want help producing a safe wrapper that does client-side redaction or that runs in an isolated environment, I can assist with a patch or run strategy.

Review Dimensions

Purpose & Capability: concernThe skill claims to be a local, silent distiller of long conversations — that capability matches the shipped script which reads session JSONL files and writes Markdown topics. However, the registry metadata lists no required environment variables or credentials while both SKILL.md and distiller.py require a GEMINI_API_KEY/GOOGLE_API_KEY. Also the metadata declares no required config paths but the code explicitly reads/writes ~/.openclaw/workspace and ~/.openclaw/agents/main/sessions. This mismatch between declared requirements and actual behavior is an incoherence.
Instruction Scope: concernThe SKILL.md and script instruct the agent to read full conversation contents from ~/.openclaw/agents/main/sessions/*.jsonl, send those contents to the remote Gemini model for distillation, and write topic files including explicit filesystem pointers (file path + line ranges). Sending raw conversations to an external API (even with a redaction instruction) transmits potentially sensitive user data. The model-side redaction is not guaranteed to prevent exposure because the raw data is transmitted prior to any filtering.
Install Mechanism: okThis is an instruction-only skill with an included Python script; there is no install spec. The SKILL.md suggests installing google-genai and python-dotenv via pip, which is expected for the stated purpose. No third-party binary downloads or obscure URLs are used.
Credentials: concernThe registry metadata declares no required env vars or primary credential, but both SKILL.md and distiller.py require GEMINI_API_KEY/GOOGLE_API_KEY (loaded from environment or ~/.openclaw/workspace/.env). Requesting a general cloud model API key is proportional to performing remote distillation, but the omission from declared requirements is misleading. Also SKILL.md suggests storing the key in the workspace .env file — that file may be world-readable depending on system permissions and increases risk if other local agents or processes can access it.
Persistence & Privilege: notealways:false (no forced inclusion) and the skill does not modify other skills. It is designed to run automatically (cron or heartbeat) and will create persistent artifacts (state.json, topic Markdown files) under ~/.openclaw/workspace; those artifacts include pointers to original session files which could make sensitive content easier to locate. Autonomous invocation is allowed by platform default — combine this with the data-exfiltration aspect when deciding whether to enable automatic runs.