ClawHub

Workspace Review

v1.0.2

Audit workspace structure and memory files against OpenClaw conventions. Use when asked to "review workspace", "audit files", "check structure", or during periodic self-maintenance. Helps catch drift from standard patterns.

4· 2.7k·10 current·10 all-time
by@ortegarod
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description ('Workspace Review') match the provided SKILL.md, references, and the included shell script. All requested artifacts (checks, file locations, git status, memory hygiene) are directly relevant to auditing an OpenClaw workspace. No unrelated credentials, binaries, or config paths are required.
Instruction Scope
SKILL.md instructs inspection actions (ls, wc, git status, skimming files) appropriate for an audit. It documents platform behaviors (automatic memory flush / system prompt used for compaction) — informational for operators but flagged by the pre-scan as a possible 'system-prompt-override' pattern. The instructions do not themselves instruct exfiltration or reading unrelated system secrets; they focus on workspace files. Recommend confirming agents only run these checks with explicit user approval if agent autonomy is enabled.
Install Mechanism
No install spec; the skill is instruction-only with a small helper script. No remote downloads or package installs are present. Risk from installation is minimal.
Credentials
The skill declares no required environment variables, credentials, or config paths. References to config keys (e.g., memorySearch.extraPaths, OPENCLAW_PROFILE) are documentation only. The included script scans workspace markdown for the string 'sk-' (to detect likely API keys) and checks for .env — appropriate for an audit.
Persistence & Privilege
always is false and disable-model-invocation is default; the skill does not request permanent inclusion or modify other skills. The script is read-only in practice (checks and greps); it does not create or send data externally. No privileged actions or writes to other agent configs are present.
Scan Findings in Context
[system-prompt-override] expected: The scanner flagged text describing the platform's 'system prompt' used during automatic memory flush/compaction (present in references/openclaw-conventions.md). This is documentation of host behavior and appears expected for a workspace-conventions reference. However, any content that instructs an agent to honor or act on injected system prompts can be sensitive; treat such text as informational and verify the agent runtime enforces platform-level controls rather than skill-level prompts.
Assessment
This skill appears to be what it says: a local workspace auditor with a small helper script. Before installing/running: 1) Inspect the included scripts yourself (scripts/workspace-status.sh) and run them locally to see the output; they are simple read-only checks. 2) Verify there are no secrets in your workspace (MEMORY.md, memory/*.md, .env) — the script already greps for 'sk-' tokens and .env. 3) Be aware the docs describe automatic memory-flush behavior (agent writes to memory/YYYY-MM-DD.md during compaction); if you have concerns about automatic memory writes, review your agent's compaction/memoryFlush config. 4) If you enable autonomous invocation, restrict when the agent may run workspace audits (require explicit user confirmation) because the skill's instructions could be invoked repeatedly. Overall the package is coherent and low-risk, but always review included code before granting execution rights.

Like a lobster shell, security has layers — review code before you run it.

latestvk973e4g7j7ysk0xwvfm3xyfsx180nmsf
2.7kdownloads
4stars
5versions
Updated 1mo ago
v1.0.2
MIT-0
@ortegarod
latest
Download

Workspace Review

A self-audit process to verify workspace files follow OpenClaw conventions and haven't drifted into non-standard patterns.

When to Run

  • Periodically (weekly or after major changes)
  • When asked to "review", "audit", or "check" workspace
  • After bootstrap or significant reorganization
  • During heartbeat maintenance cycles

Review Process

1. Structure Check

Verify expected files exist in correct locations:

~/.openclaw/workspace/
├── AGENTS.md        ← Operating instructions (REQUIRED)
├── SOUL.md          ← Persona/tone (REQUIRED)
├── USER.md          ← User profile (REQUIRED)
├── IDENTITY.md      ← Agent name/vibe/emoji (REQUIRED)
├── TOOLS.md         ← Local tool notes (REQUIRED)
├── HEARTBEAT.md     ← Heartbeat checklist (optional)
├── MEMORY.md        ← Curated long-term memory (optional)
├── BOOT.md          ← Runs on gateway restart (optional, boot-md hook)
├── BOOTSTRAP.md     ← One-time first-run ritual (delete after use)
├── memory/          ← Daily logs + reference docs (vector-indexed)
│   └── YYYY-MM-DD.md
└── skills/          ← Workspace-specific skills (optional)

Note on BOOT.md vs BOOTSTRAP.md:

  • BOOT.md — Persistent; runs every gateway restart (if boot-md hook enabled)
  • BOOTSTRAP.md — One-time; agent follows it on first run, then deletes it

Check: Run ls -la on workspace root. Flag missing required files.

2. File Purpose Audit

Each file has ONE job. Check for scope creep:

FileShould ContainShould NOT Contain
AGENTS.mdOperating instructions, memory workflow, behavior rulesPersonal memories, daily logs, tool configs
SOUL.mdPersona, tone, boundaries, identity philosophyTask lists, technical details, credentials
USER.mdUser profile, preferences, how to address themAgent memories, system config
IDENTITY.mdName, emoji, vibe, external identities (wallets, handles)Instructions, memories
TOOLS.mdEnvironment-specific notes (camera names, SSH hosts, voices)Skill instructions, operating procedures
HEARTBEAT.mdShort checklist for periodic checksLong procedures, full documentation
MEMORY.mdCurated lessons, key context, important people/projectsDaily logs, raw notes
memory/*.mdDaily logs, raw notes, session summariesLong-term curated memories

Check: Skim each file. Flag content in wrong location.

3. Memory Hygiene

  • Daily files use YYYY-MM-DD.md or YYYY-MM-DD-slug.md format
  • Hook-generated session files (session-memory hook creates YYYY-MM-DD-slug.md) reviewed periodically
  • Reference docs use descriptive names (not dates): project-notes.md, api-guide.md
  • MEMORY.md contains curated insights, not raw logs
  • No duplicate information across MEMORY.md and daily files
  • Old daily files reviewed and distilled to MEMORY.md periodically
  • No sensitive data (API keys, passwords) in memory files

Automatic Memory Flush: OpenClaw triggers a silent agent turn before session compaction to write durable memories. The agent receives a prompt to flush important context to memory/YYYY-MM-DD.md. This is automatic — no action needed, but be aware your context WILL be compacted after ~180k tokens.

4. Vector Search Alignment

  • Only MEMORY.md and memory/**/*.md are indexed by default
  • Daily logs use YYYY-MM-DD.md; reference docs use descriptive names
  • Files outside memory/ can be indexed via memorySearch.extraPaths in config

Session Memory (Experimental): If memorySearch.experimental.sessionMemory = true, session transcripts are also indexed and searchable via memory_search.

5. Git Status

⚠️ This workspace is PRIVATE. Never push to GitHub or any public remote.

cd ~/.openclaw/workspace && git status
  • No remote configured (or only private backup)
  • No untracked files that should be tracked
  • No tracked files that should be gitignored
  • No uncommitted changes lingering for days
  • .gitignore excludes secrets (*.key, .pem, .env, secrets)

6. Rogue Files Check

Look for files that don't fit the standard layout:

ls -la ~/.openclaw/workspace/

Flag anything that:

  • Duplicates bootstrap file purposes (e.g., README.md alongside AGENTS.md)
  • Stores credentials in workspace (should be in ~/.openclaw/credentials/)
  • Creates non-standard directories without clear purpose

Note: Only MEMORY.md and memory/**/*.md are vector-indexed. Files outside memory/ can be added via memorySearch.extraPaths in config.

7. Size Check

Bootstrap files should be lean (loaded every session):

  • AGENTS.md: < 500 lines ideal, < 1000 max
  • SOUL.md: < 200 lines ideal
  • USER.md: < 100 lines ideal
  • IDENTITY.md: < 50 lines ideal
  • HEARTBEAT.md: < 100 lines (token burn concern)
wc -l AGENTS.md SOUL.md USER.md IDENTITY.md HEARTBEAT.md TOOLS.md MEMORY.md 2>/dev/null

8. Skills Check

If skills/ exists:

  • Each skill has SKILL.md with valid frontmatter (name, description)
  • No duplicate skills (workspace vs managed)
  • Skills follow progressive disclosure (lean SKILL.md, references for details)

Output Format

After review, report:

## Workspace Review — YYYY-MM-DD

### ✅ Passing
- [list what's correct]

### ⚠️ Warnings
- [list minor issues]

### ❌ Issues
- [list things that need fixing]

### 📋 Recommendations
- [specific actions to take]

References

Comments

Loading comments...