Openclaw Sulcus Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent memory/knowledge-graph skill that discloses its local and cloud data handling, but it stores persistent memories and can use an optional Sulcus API key, so users should review its settings before use.
Before installing, verify the external `openclaw-sulcus` plugin, decide whether local-only or cloud mode is appropriate, provide an API key only if you trust the configured server, and confirm how to review, disable, or delete stored memories.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Information saved as memory may shape future answers or actions, including across later conversations depending on how the plugin scopes memory.
Persistent memories, preferences, and facts are reused in future prompts, which is central to the skill but means stale, incorrect, or sensitive memories can influence later agent behavior.
The plugin automatically injects relevant memories into every turn via `before_prompt_build` ... Profile (user preferences + facts, periodic refresh)
Review how memories are scoped, edited, and deleted; prefer project- or session-specific memory for sensitive work.
If cloud mode is enabled, private memory content and search activity may leave the local machine.
Cloud mode sends memory and query data to an external configured server. This is disclosed and optional, but the data can be sensitive.
When serverUrl IS configured ... destination: Configured Sulcus server ... data: Memory text, metadata, search queries, session events, embedding requests
Use local-only mode for sensitive conversations, or configure cloud mode only with a Sulcus server you trust.
Anyone with access to the API key may be able to access or modify cloud memory depending on the Sulcus service permissions.
The skill can use a Sulcus API key for cloud storage, recall, and embeddings. This credential use is expected for cloud mode but should be treated as sensitive.
Cloud mode (requires serverUrl + apiKey): Memories are stored on and recalled from the configured Sulcus server. Embedding ... uses the same `apiKey`
Use a scoped key if available, keep it out of shared prompts or logs, and revoke it if the skill is no longer used.
The reviewed artifact explains the intended behavior, but it does not allow inspection of the plugin implementation.
The sensitive runtime behavior depends on an external plugin, while the reviewed package contains only SKILL.md and no plugin code.
**Required plugin:** `openclaw-sulcus` (install via `openclaw plugin install openclaw-sulcus`)
Verify the `openclaw-sulcus` plugin publisher, source, and version before installing or enabling cloud credentials.
Stored memories may be summarized, reclassified, or reprioritized without a separate manual action each time.
The skill discloses autonomous background memory maintenance. This is purpose-aligned, but it persists and changes memory state over time.
Curator (sleep cycle) — background process that reclassifies, consolidates, summarizes, and re-vectorizes memories. No manual cleanup needed.
Check whether the plugin provides controls to pause background curation, inspect changes, and delete or export stored memories.