v1.0.0

mnemospark-lite Cloud File Storage

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 12:47 PM.

Analysis

This is a coherent paid cloud-storage skill, but it gives the agent wallet/payment authority plus upload, share, and delete powers that should be reviewed carefully before installation.

GuidanceInstall only if you want OpenClaw to use mnemospark-lite for paid cloud storage. Before allowing actions, confirm the file path, storage tier/cost, wallet being used, upload IDs, and any share-link recipients; consider using a dedicated low-balance wallet and avoid uploading sensitive files unless you intend them to be stored externally.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

Support these mnemospark-lite operations: - upload a file and mint its share URL - list uploads ... - mint a 24-hour share URL ... - delete one or more uploads

The skill gives the agent direct workflows for paid uploads, share-link creation, and deletion, but the visible instructions do not define confirmation, cost, file-scope, or bulk-delete guardrails.

User impactAn autonomous or mistaken invocation could upload the wrong file, create a share link, make a paid request, or delete multiple uploads.

RecommendationRequire the agent to show the file path, tier/cost, destination, upload IDs, and share/delete impact, then get user confirmation before proceeding.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

if you use the Python x402 client path, install the EVM extras, not only the base package: `pip install 'x402[evm]'`

The optional dependency install is relevant to the x402 payment workflow, but it is unpinned and relies on external package provenance.

User impactInstalling an unpinned dependency could pull a changed package version compared with what the skill author expected.

RecommendationInstall dependencies from trusted sources, pin or review package versions where possible, and prefer already-vetted local OpenClaw components.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

a funded x402-capable payer or existing mnemospark-compatible wallet ... wallet key usually exists at `/home/ubuntu/.openclaw/mnemospark/wallet/wallet.key` ... `Authorization: Bearer <token>`

The skill instructs use of wallet/payment credentials and bearer tokens. That is purpose-aligned for paid storage, but it is high-impact authority and the visible artifacts do not clearly bound approval, spending, or credential handling.

User impactIf used incorrectly, the agent could spend from a wallet and use bearer-scoped access to list, download, share, or delete stored uploads.

RecommendationUse a dedicated low-balance wallet, require explicit approval before each paid action or deletion, and verify that the wallet path and bearer tokens are scoped only to mnemospark-lite.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

generate shareable links that can be passed to another agent or a human ... Files are retained for 30 days and then automatically deleted

The skill clearly discloses external cloud retention and shareable links. This is aligned with the storage purpose, but users should understand that uploaded content can cross agent/human boundaries.

User impactFiles uploaded through this skill may become accessible through generated links and remain in the service for up to 30 days.

RecommendationOnly upload files intended for cloud storage, verify recipients before sharing links, and delete uploads when they are no longer needed.