ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Total Recall

v1.5.1

The only memory skill that watches on its own. No database. No vectors. No manual saves. Just an LLM observer that compresses your conversations into priorit...

2· 877·11 current·11 all-time
by@gavdalf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (autonomous, file-backed memory watcher) aligns with the included scripts that read session JSONL and write observations.md. However the registry metadata claims 'Required env vars: none' while SKILL.md and scripts require an LLM API key (OPENROUTER_API_KEY / LLM_API_KEY) and other provider config; changelog mentions ANTHROPIC_API_KEY for a backfill script. That mismatch between declared registry requirements and the actual SKILL.md/scripts is an incoherence that matters: the skill will expect credentials not advertised by the registry.
!
Instruction Scope
The runtime instructions and bundled prompts direct agents to read session transcript files (SESSIONS_DIR), run scripts that append/modify memory files, and hook into OpenClaw compaction (memoryFlush). The skill includes several system-agent prompts (observer, reflector, dream-cycle) that assume the agent will run sub-agents and may perform writes. The Dream Cycle prompt defaults to READ_ONLY_MODE=false (i.e., write-enabled) if not explicitly set, and memoryFlush instructs an immediate --flush capture and then asks the agent to 'write a brief summary of THIS session' and 'Reply with NO_REPLY' — this is effectively a behavior override that will cause the agent to persist session content. These instructions stay within the stated purpose (capturing conversation), but they also grant broad rights to read session data and autonomously write/modify files and archives — and include directives that look like system-prompt overrides. That elevated autonomy and the default-to-write behavior are risky without explicit user opt-in.
Install Mechanism
There is no automated install spec (no remote download/extract), but the package includes many shell scripts and a setup.sh that will create directories, install a systemd watcher service (on Linux), and print cron instructions. No third-party binary downloads were detected in the manifest, which reduces remote-code-fetch risk, but running setup.sh will grant the skill persistent cron/systemd presence and create files under your workspace — review setup.sh and any systemd unit templates before running.
!
Credentials
A memory skill legitimately needs an LLM key to compress transcripts, so requesting OPENROUTER_API_KEY / LLM_API_KEY is proportionate. The problem is inconsistency: registry metadata lists no required env vars but SKILL.md marks OPENROUTER_API_KEY required and other scripts reference ANTHROPIC_API_KEY (backfill). The skill also documents various configurable URLs/keys and encourages setting LLM_BASE_URL/OBSERVER_API_URL, and some code paths will accept a dummy OPENROUTER_API_KEY for local models (odd fallback). Before installing, confirm which keys are actually required, and be aware: any remote provider key you supply will result in session data being sent off-host to that provider unless you configure a local LLM endpoint.
!
Persistence & Privilege
The skill asks to persistently run via cron and an optional systemd watcher and writes memory/ and logs/ files. 'always' is false (good), but the skill's default prompts (Dream Cycle default READ_ONLY_MODE=false) and cron/systemd setup mean it will autonomously modify observations.md and archive files if you follow the setup instructions. That combination (autonomous writes + system services + default write mode) increases blast radius compared with a purely manual tool. It does not auto-enable itself at platform level, but setup.sh will create persistent system-level jobs that run unattended.
Scan Findings in Context
[system-prompt-override] expected: The skill ships system prompts (observer/reflector/dream-cycle) and instructs running LLM-driven sub-agents; those prompts can functionally override or direct agent behavior. That is expected for a skill that runs its own sub-agents, but it is security-relevant because default prompts include WRITE behavior (READ_ONLY_MODE default=false) and explicit instructions to write session summaries.
What to consider before installing
Key things to check before installing: - Verify declared requirements: the registry metadata did not list required env vars but SKILL.md and scripts require an LLM API key (OPENROUTER_API_KEY / LLM_API_KEY). Confirm which keys are actually needed and where they will be used. - Audit the scripts (setup.sh, observer-*.sh, reflector-*.sh, dream-cycle.sh, session-recovery.sh) before running setup.sh. setup.sh will create memory/ and logs/, install cron jobs and (on Linux) a systemd watcher — review and optionally run the commands manually rather than blindly executing setup.sh. - Start in safe mode: run Dream Cycle in READ_ONLY_MODE=true and run observer scripts manually to see outputs before enabling automatic writes. The prompts default to writing (READ_ONLY_MODE=false) if you don't explicitly set this. - Consider using a local LLM endpoint first (LLM_BASE_URL pointing to localhost) or a dummy API key during evaluation to avoid sending your session data to a remote provider until you are comfortable. If you must use a hosted provider, be aware that session transcripts and derived observations will be transmitted to that provider. - Check cron/systemd entries that will be created and remove or restrict them if you prefer manual invocation. Back up your current workspace and existing memory/observations.md before enabling automatic schedules. - Be cautious about the memoryFlush config: it instructs an agent turn to run the observer and to write a session summary automatically. If you keep that hook, that summary will be generated and persisted at compaction time. If you want, I can: (1) list the exact files/lines in setup.sh that create services/crontab entries, (2) summarize which scripts call network endpoints and where, or (3) produce a safe checklist to run the skill in read-only/evaluation mode.

Like a lobster shell, security has layers — review code before you run it.

agent-memoryvk97a24xa1p7d49cyctk06hxje981cnpnautonomousvk97a24xa1p7d49cyctk06hxje981cnpncompactionvk97a24xa1p7d49cyctk06hxje981cnpncontextvk97a24xa1p7d49cyctk06hxje981cnpnlatestvk975j3wpz7m37tr1p8tfbc6ajx820gkbmemoryvk97a24xa1p7d49cyctk06hxje981cnpnobservervk97a24xa1p7d49cyctk06hxje981cnpnpersistent-memoryvk97a24xa1p7d49cyctk06hxje981cnpn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
Binsjq, curl

Comments