MemSync Dual Memory System
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed conversation-memory logger, but it automatically records all conversations and tool outputs into persistent searchable storage, with limited built-in controls.
Only install this if you intentionally want complete, persistent memory of OpenClaw conversations and tool outputs. Prefer local/sharded mode for private data, secure the log and .mv2 files, avoid entering secrets while it is enabled, verify Memvid is installed correctly, and periodically rotate or delete stored memory.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive prompts, file contents, API responses, command output, or secrets exposed during tool use may be retained and searchable long after the conversation.
This shows broad automatic capture of private conversation and tool-output content into long-term searchable memory, without showing granular redaction or opt-out controls.
This skill captures **everything** - by design. It logs all user messages, assistant responses, sub-agent conversations, tool outputs, and system events to local files. ... Continuous logging: Once installed, it runs automatically on every assistant response until removed
Install only if you explicitly want complete conversation memory. Add or request redaction, per-session opt-out, path controls, retention limits, and clear deletion instructions before using it with sensitive work.
If Memvid is missing or fails, copies of conversation content may accumulate outside the documented log paths.
A raw log entry is written to a non-auto-deleted temp file, but cleanup occurs only after the Memvid subprocess succeeds far enough to reach os.unlink; failures such as a missing Memvid binary or timeout can leave sensitive temp files behind.
with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f: ... json.dump(log_entry, f, ensure_ascii=False, indent=2) ... result = subprocess.run(...); os.unlink(temp_path) ... except Exception: return False
Use try/finally cleanup for temp files, avoid creating temp files when Memvid is unavailable, and check temporary directories if the skill has been run with a broken Memvid install.
Once installed, the logger can run after normal assistant responses until the skill or hook is removed.
The skill registers an automatic response hook. This is disclosed and purpose-aligned, but users should notice that logging is not only manually invoked.
"hooks": { "message_out": { "description": "Called after each assistant response", "command": "python3 tools/log.py" } }Confirm you want always-on logging before installing, and know how to disable or remove the skill.
Using API mode may send conversation logs and tool outputs to Memvid's cloud service.
The optional API key enables a third-party data path for logged memory. This is disclosed and aligned with the Memvid integration.
Optional cloud mode: API mode with `MEMVID_API_KEY` sends data to memvid.com (third-party service). Free/local modes keep data on your machine only.
Use local/free or sharding mode for private data, and only set MEMVID_API_KEY if you accept Memvid's cloud storage and account permissions.
The skill can create and update local memory/log files and invoke the Memvid CLI during normal use.
The skill needs file-write and subprocess authority to perform its stated logging function. The permissions are disclosed, but they are sensitive because they operate automatically on conversation content.
"permissions": [ { "name": "file_write", "reason": "Write conversation logs to JSONL files and create Memvid .mv2 memory files in user's workspace" }, { "name": "exec_subprocess", "reason": "Call memvid CLI to append frames to memory files" } ]Keep paths scoped to a private workspace, review file permissions, and avoid pointing MEMVID_BIN or log paths at untrusted or shared locations.
Your installation depends on the Memvid CLI package available from npm at install time.
The installer can pull an unpinned global npm package. This is expected for the Memvid integration, but it is broader than the registry's 'no required binaries' summary.
if ! command -v memvid &> /dev/null; then ... npm install -g memvid
Install Memvid from a trusted source, consider pinning a known-good version, and verify the registry metadata before relying on the skill in sensitive environments.