Project Trident
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Project Trident is a coherent persistent-memory skill, but it can continuously store, reuse, index, and optionally push broad agent memory/workspace data, so it deserves careful review before use.
Install only if you explicitly want long-lived agent memory. Before enabling cron, cloud vector search, or Git backup, decide what files may be remembered, what must be excluded, where the data will be stored, how to delete it, and how to stop the background jobs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive conversation details could be stored indefinitely and later influence the agent in future sessions.
The skill is designed to persist all agent messages and reuse them across sessions. That fits the stated purpose, but the provided docs do not clearly define retention limits, exclusion rules, or deletion controls.
Layer 0 (RAM) — LCM: SQLite+DAG. Every message captured. Nothing lost.
Use it only if persistent memory is desired; define retention/exclusion rules, avoid secrets in remembered conversations, and periodically review or delete stored memory files/databases.
Private notes, prompts, project files, or identity files in the workspace could be embedded and stored in a vector database or sent to an embedding provider.
The optional semantic-recall example indexes every Markdown file under the OpenClaw workspace except migration backups. The same example uses embeddings/vector storage, so private Markdown files may be processed beyond the local memory bucket if the user follows this path.
for md_file in WORKSPACE.rglob("*.md"):
if "migration-backup" not in str(md_file):
index_memory_file(md_file)Restrict indexing to an explicit memory directory, add deny-lists for sensitive files, prefer local embedding/storage for private data, and review indexed content before enabling cloud services.
The agent may keep running, modifying memory, and incurring model costs until the cron job is disabled.
The skill documents a recurring background agent that runs every 15 minutes and follows a prompt stored in the workspace. This is disclosed and central to the memory-router purpose, but it is persistent autonomous behavior.
"schedule": { "kind": "every", "everyMs": 900000 }, ... "message": "Read {WORKSPACE_PATH}/memory/layer0/AGENT-PROMPT.md and execute Layer 0 signal routing."After setup, list and monitor OpenClaw cron jobs, keep the router prompt protected, and disable the job when persistent memory is not wanted.
If .gitignore or repository privacy is misconfigured, private memory or workspace files could be pushed to a remote Git host.
The optional backup cron uses a broad raw Git command that stages and pushes everything in the workspace. The guide includes a .gitignore example, but privacy depends on correct user configuration.
Run: cd ~/.openclaw/workspace && git add -A && git commit -m 'daily backup: $(date +%Y-%m-%d)' && git push origin main
Use a private repository, run git status before enabling automation, and replace git add -A with explicit paths for files that should be backed up.
Provider keys or Git/cloud credentials used with this skill could grant access to paid APIs or stored memory data.
Cloud vector storage and model-provider options may require API keys or account credentials. This is expected for optional cloud integrations, but registry requirements do not declare required credentials because these paths are optional.
Qdrant Cloud: ... get API key + cluster URL
Use least-privilege keys, separate project accounts where possible, store secrets in the platform’s normal secret store, and rotate keys if exposed.
A future upstream change or compromised download path could affect the services used for memory search.
Optional semantic-recall setup uses latest Docker images and latest downloaded binaries. This is common setup documentation, but it is not pinned to immutable versions or verified checksums.
image: qdrant/qdrant:latest ... curl -L https://github.com/qdrant/qdrant/releases/latest/download/qdrant-x86_64-unknown-linux-musl.tar.gz | tar -xz
Pin Docker image versions, download specific releases, verify checksums/signatures where available, and avoid piping remote installers into a shell in high-trust environments.
Users may overestimate the protection provided and store or retrieve untrusted memory content without sufficient review.
Hash verification can detect changes to a prompt template, but it does not by itself prevent prompt injection or poisoning from conversation logs, daily memory files, or retrieved context. The claim is broader than the control shown in the provided artifacts.
**Security:** SHA256 integrity verification prevents prompt injection
Treat template hashing as tamper detection only; add explicit rules for untrusted memory content, review memory edits, and avoid claiming comprehensive prompt-injection prevention.