memclaw-maintance
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent maintenance guide for a memory plugin, but it asks you to install external plugin code, configure API keys, and enable persistent memory behavior.
Before installing, verify the external @memclaw/memclaw package, use protected API keys, and make sure you are comfortable with persistent memory being loaded at the start of sessions and maintained by local background services.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the plugin will run and trust code that was not included in this review.
The skill directs installation of an external plugin package. This is user-directed and central to the stated purpose, but the plugin's code is not part of the provided artifacts.
openclaw plugins install @memclaw/memclaw
Verify the package source, publisher, and repository before installing, especially because it handles memory and API keys.
Provider API keys may allow model or embedding API usage and billing under the user's account.
The guide asks the user to configure LLM and embedding provider credentials. This is expected for the memory plugin, and the artifacts do not show hardcoded keys, logging, or unrelated credential use.
"llmApiKey": "your-llm-api-key", "embeddingApiKey": "your-embedding-api-key"
Use limited-scope provider keys where possible, keep openclaw.json private, and rotate keys if they are exposed.
Stored memories may be reused across conversations and could influence the agent if inaccurate, outdated, or sensitive.
The skill instructs future agents to automatically load persistent user memory and session context. This is the core function of a memory plugin, but persistent context can affect future responses and may contain sensitive information.
Session Startup (ALWAYS execute at conversation start) Load user profile from persistent memory: ... cortex_get_abstract ... cortex_get_overview ... cortex_ls
Review stored memories periodically, avoid storing secrets, and clarify whether memory content is processed by any configured LLM or embedding provider.
Maintenance may run outside a direct manual request and update indexes or generated memory layers.
The maintenance documentation says some maintenance may run on a schedule. This is expected for keeping indexes healthy, but it is persistent background behavior users should know about.
This tool is typically called automatically by a scheduled Cron task.
Confirm scheduled maintenance and auto-start settings are acceptable, and know how to disable them if you do not want background activity.