ClawSeal
AdvisoryAudited by VirusTotal on Apr 15, 2026.
Overview
Type: OpenClaw Skill Name: clawseal Version: 1.0.3 The ClawSeal skill provides a persistent cryptographic memory system for agents, but its installation process involves high-risk behaviors. Specifically, the 'install.sh' script automatically registers background services using launchd (macOS) and systemd (Linux) to ensure the Flask server ('backend/clawseal_server.py') runs on boot and restarts on failure. While this persistence is documented and supports the stated purpose of 'persistent memory,' the automated creation of system-level daemons and the installation of external Python packages from PyPI are significant security risks that require careful vetting.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A website or local process may be able to read or alter persistent agent memories through the localhost service, depending on the browser and environment.
Global CORS is enabled and the memory read/write endpoints shown do not perform authentication or origin checks.
app = Flask(__name__)
CORS(app)
...
@app.route('/remember', methods=['POST'])
...
@app.route('/recall', methods=['POST'])Disable broad CORS by default, require a local auth token or allowlisted origin, and add per-user access controls before storing private memories.
Incorrect, sensitive, or unwanted memories could persist and influence future agent behavior across sessions.
The skill is designed to create long-lived memories reused across conversations, but the artifacts do not show deletion, expiration, review, or approval controls.
Result: Your OpenClaw agent remembers you. Forever. With cryptographic proof.
Add clear user controls for reviewing, deleting, expiring, and approving stored memories, especially for facts, decisions, and inferred insights.
The agent or user may be told a memory is intact even if verification is incomplete, ambiguous, or tied to the wrong recalled result.
The verify response marks a memory as valid and content_intact whenever recall returns a result, rather than deriving those fields directly from a verified signature match for the requested memory.
"valid": True,
"memory_id": memory_id,
"signature_verified": memory.get('qseal_verified', False),
"content_intact": TrueMake valid/content_intact depend on explicit signature verification, check that the returned scroll ID exactly matches the requested memory ID, and return a failure state when verification is false.
After installation, the service may keep running and serving memory requests even when the user is not actively using the skill.
The installer registers the memory server as a background service that starts automatically and restarts on failure.
<key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> ... systemctl --user enable clawseal-server.service systemctl --user start clawseal-server.service
Install only if you want a persistent background service, and keep the documented stop/unload commands available.
Future dependency versions could change behavior outside what is visible in these artifacts.
Runtime behavior depends on external PyPI packages with lower-bound version constraints rather than pinned versions or hashes.
clawseal>=1.1.3 flask>=2.3.0 flask-cors>=4.0.0
Pin dependency versions, publish lockfiles or hashes, and review the external clawseal package before enabling persistent memory.
If installed through npm tooling, setup code may run automatically and register the background service.
The package defines an install lifecycle script that runs the shell installer in npm contexts.
"scripts": {
"start": "python3 backend/clawseal_server.py",
"install": "bash install.sh",
"test": "curl http://localhost:5002/health"
}Avoid automatic lifecycle installation for privileged setup, or make the daemon registration an explicit, separately confirmed command.