ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Memory Hygiene

Audit, clean, and optimize Clawdbot's vector memory (LanceDB). Use when memory is bloated with junk, token usage is high from irrelevant auto-recalls, or setting up memory maintenance automation.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
14 · 14.5k · 162 current installs · 165 all-time installs
by@dylanbaker24
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: commands reference Clawdbot-specific tools/paths (memory_store, memory_recall, ~/.clawdbot/memory/lancedb/, gateway actions). This is coherent for a memory maintenance skill. However the guidance to store 'accounts, credentials locations, contacts' is questionable and conflicts with the 'Never store: OAuth URLs or tokens' note — storing credential locations is not clearly necessary for a hygiene tool and increases risk.
!
Instruction Scope
SKILL.md instructs destructive actions (rm -rf ~/.clawdbot/memory/lancedb/) and restarting the gateway, reading/parsing local files (MEMORY.md), and adding a monthly cron job that will perform the wipe+reseed automatically. These are in-scope for maintenance but are high-impact operations (data loss risk) and the cron makes the behavior persistent. The file also advises storing potentially sensitive items (accounts/credential locations), which expands scope to sensitive data collection/storage.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installer risk. Nothing is downloaded or written by an installer step in the package itself.
!
Credentials
The skill declares no required credentials or env vars (good), but its content explicitly encourages storing 'accounts, credentials locations' in vector memory. Asking users to persist credential-related information in memory is disproportionate to a maintenance task and increases attack surface / leakage risk; the guidance is internally inconsistent with the 'Never store OAuth URLs or tokens' line.
!
Persistence & Privilege
While the skill itself is not always:true, the instructions recommend creating a recurring cron job that will automatically wipe and reseed memory monthly. That establishes persistent, scheduled destructive behavior on the host — a meaningful privilege/risk that should be intentionally authorized and tested before deployment.
What to consider before installing
Before using/installing: 1) Treat the rm -rf instruction as destructive — back up your LanceDB and test the wipe/reseed on a non-production instance first. 2) Do NOT store secrets (API keys, tokens, passwords) in vector memory; the SKILL.md contradicts itself by suggesting to store 'credentials locations' — avoid storing any sensitive credentials or locations that could enable later exfiltration. 3) Review and limit the cron job: prefer manual or carefully permissioned automation; confirm the cron runs under a non-privileged account and that the command does exactly what you expect. 4) Verify the gateway actions/CLI referenced (gateway action=config.patch, memory_store, memory_recall, clawdbot gateway restart) exist and behave as documented in your environment. 5) Confirm the source/repo and author before trusting automated maintenance (the package lists a homepage but 'Source: unknown'); review the GitHub repo and commit history. 6) If you accept the automation, add logging and alerting for maintenance runs and keep backups to avoid irreversible data loss.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk972d37mvfxy7kxe7my67z4y5n803e1g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Memory Hygiene

Keep vector memory lean. Prevent token waste from junk memories.

Quick Commands

Audit: Check what's in memory

memory_recall query="*" limit=50

Wipe: Clear all vector memory

rm -rf ~/.clawdbot/memory/lancedb/

Then restart gateway: clawdbot gateway restart

Reseed: After wipe, store key facts from MEMORY.md

memory_store text="<fact>" category="preference|fact|decision" importance=0.9

Config: Disable Auto-Capture

The main source of junk is autoCapture: true. Disable it:

{
  "plugins": {
    "entries": {
      "memory-lancedb": {
        "config": {
          "autoCapture": false,
          "autoRecall": true
        }
      }
    }
  }
}

Use gateway action=config.patch to apply.

What to Store (Intentionally)

✅ Store:

  • User preferences (tools, workflows, communication style)
  • Key decisions (project choices, architecture)
  • Important facts (accounts, credentials locations, contacts)
  • Lessons learned

❌ Never store:

  • Heartbeat status ("HEARTBEAT_OK", "No new messages")
  • Transient info (current time, temp states)
  • Raw message logs (already in files)
  • OAuth URLs or tokens

Monthly Maintenance Cron

Set up a monthly wipe + reseed:

cron action=add job={
  "name": "memory-maintenance",
  "schedule": "0 4 1 * *",
  "text": "Monthly memory maintenance: 1) Wipe ~/.clawdbot/memory/lancedb/ 2) Parse MEMORY.md 3) Store key facts to fresh LanceDB 4) Report completion"
}

Storage Guidelines

When using memory_store:

  • Keep text concise (<100 words)
  • Use appropriate category
  • Set importance 0.7-1.0 for valuable info
  • One concept per memory entry

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…