Skillv1.0.1

ClawScan security

Automated daily memory backfill for OpenClaw sessions · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (reconstructing/backfilling local OpenClaw memory from session JSONL) matches most of what it does, but there are several coherence and sensitivity issues you should understand before installing or running it.
Guidance: This tool legitimately needs access to your OpenClaw session JSONL and memory directories to do its job, and it includes extensive secret-detection patterns to redact sensitive data — but redaction claims alone do not guarantee safety. Before installing or scheduling it: 1) Review memory_sync.py (search for any network calls, hardcoded endpoints, or functions that send data to remote hosts). 2) Run in dry-run mode on non-sensitive test data and verify that SECRET_PATTERNS actually redact secrets before any network operations. 3) If you plan to use external summarization backends (openai/anthropic), be explicit about the API key you supply and understand that data will leave your machine; prefer the 'openclaw' backend if you trust your configured model. 4) Backup memory files first and test --preserve/--force behaviors so you don't overwrite user notes. 5) Consider running it in a restricted environment (container or isolated user) and restrict cron ownership/permissions. 6) Ask the publisher for a homepage, source repo, or reproducible build; absence of a source/homepage reduces transparency. If you cannot review the code yourself, treat this skill as high-risk for sensitive accounts and data.
Findings: [pre-scan-injection:none] expected: Static pre-scan reported no injection signals. That absence is not proof of safety; the package includes a 90KB Python script that must be reviewed for network I/O and exact sanitization ordering before trusting it on sensitive logs.

Review Dimensions

Purpose & Capability: noteThe skill claims to read OpenClaw session logs and produce memory files; the code references ~/.openclaw/agents/.../sessions and ~/.openclaw/workspace/memory which is coherent. It also supports optional external LLM backends (OpenAI/Anthropic) and an OpenClaw backend — that capability is expected for summarization. Minor mismatch: registry metadata lists no required environment variables but SKILL.md documents optional API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY) for some backends; so metadata understates required credentials if you choose those backends.
Instruction Scope: concernSKILL.md and the code instruct the agent to read users' session logs and memory directories (highly sensitive data) and optionally send content to LLM backends for summarization. The README promises 'redaction at every stage' but the instructions also permit using external APIs (openai/anthropic) that would receive unredacted or partially redacted content unless you verify sanitization order. The SKILL.md grants broad discretion for daily automated runs (cron) and preserving/passing existing notes to the LLM, which increases the chance of sending sensitive content off-host. Instructions also reference writing logs to ~/.memory-sync/cron.log — normal but note it may contain sensitive filenames/operation traces.
Install Mechanism: okNo install spec is provided (instruction-only), which is lower risk. The SKILL.md notes pip installing click and optionally openai/anthropic packages; that is expected for a Python CLI. There are no external archive downloads or custom binary installs specified.
Credentials: concernRegistry metadata declares no required env vars, but SKILL.md documents optional use of OPENAI_API_KEY and ANTHROPIC_API_KEY when selecting those backends. The shipping code contains a long list of sensitive environment variable names and many secret-detection regexes (used for sanitization) — appropriate for redaction but also an indicator the tool will scan for many secret types. Because the skill can be configured to call external APIs, API keys would be necessary for those modes; the registry metadata should have reflected that. Requesting or using unrelated credentials is not observed, but the mismatch is important.
Persistence & Privilege: notealways:false (default) so it is not force-included. Model invocation is allowed (default) which is normal. The skill is intended for scheduled (cron) use. Because it reads and writes user session and memory files, granting it regular/automated access raises sensitivity concerns: an autonomously-invoked skill that posts summaries to external backends increases exfiltration risk. No evidence it alters other skills or global agent config.