ClawSeal
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawSeal’s memory feature is coherent, but it runs a persistent local memory server with unauthenticated, CORS-enabled read/write access to long-term agent memories.
Review this before installing. If you use it, restrict the local server, disable broad CORS, add an authentication token, and avoid storing sensitive personal or business information until memory deletion/review controls and stronger verification behavior are in place.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A website or local process may be able to read or alter persistent agent memories through the localhost service, depending on the browser and environment.
Global CORS is enabled and the memory read/write endpoints shown do not perform authentication or origin checks.
app = Flask(__name__)
CORS(app)
...
@app.route('/remember', methods=['POST'])
...
@app.route('/recall', methods=['POST'])Disable broad CORS by default, require a local auth token or allowlisted origin, and add per-user access controls before storing private memories.
Incorrect, sensitive, or unwanted memories could persist and influence future agent behavior across sessions.
The skill is designed to create long-lived memories reused across conversations, but the artifacts do not show deletion, expiration, review, or approval controls.
Result: Your OpenClaw agent remembers you. Forever. With cryptographic proof.
Add clear user controls for reviewing, deleting, expiring, and approving stored memories, especially for facts, decisions, and inferred insights.
The agent or user may be told a memory is intact even if verification is incomplete, ambiguous, or tied to the wrong recalled result.
The verify response marks a memory as valid and content_intact whenever recall returns a result, rather than deriving those fields directly from a verified signature match for the requested memory.
"valid": True,
"memory_id": memory_id,
"signature_verified": memory.get('qseal_verified', False),
"content_intact": TrueMake valid/content_intact depend on explicit signature verification, check that the returned scroll ID exactly matches the requested memory ID, and return a failure state when verification is false.
After installation, the service may keep running and serving memory requests even when the user is not actively using the skill.
The installer registers the memory server as a background service that starts automatically and restarts on failure.
<key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> ... systemctl --user enable clawseal-server.service systemctl --user start clawseal-server.service
Install only if you want a persistent background service, and keep the documented stop/unload commands available.
Future dependency versions could change behavior outside what is visible in these artifacts.
Runtime behavior depends on external PyPI packages with lower-bound version constraints rather than pinned versions or hashes.
clawseal>=1.1.3 flask>=2.3.0 flask-cors>=4.0.0
Pin dependency versions, publish lockfiles or hashes, and review the external clawseal package before enabling persistent memory.
If installed through npm tooling, setup code may run automatically and register the background service.
The package defines an install lifecycle script that runs the shell installer in npm contexts.
"scripts": {
"start": "python3 backend/clawseal_server.py",
"install": "bash install.sh",
"test": "curl http://localhost:5002/health"
}Avoid automatic lifecycle installation for privileged setup, or make the daemon registration an explicit, separately confirmed command.