Skillv3.0.4

ClawScan security

Openclaw Memory Max · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 3:40 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, hooks, and configuration are coherent with a local memory-enhancement plugin; it reads/writes OpenClaw memory files and can inject memories/rules into the agent context — features that are expected but require careful opt-in and file-permission hygiene.
Guidance: This skill appears to do what it claims, but it gains access to conversation content and can modify the agent's system prompt when specific options are enabled. Before installing: 1) Confirm you trust the upstream source (review package.json and openclaw.plugin.json for dependencies and any network code). 2) Keep enableAutoCapture and enableRulePinning disabled unless you need them; if you enable rule pinning, ensure only trusted processes/users can write ~/.openclaw/memory/MEMORY.md. 3) Inspect the sidecar files (auto_captured.jsonl, episodes.jsonl, utility_scores.json, causal_graph.json) and set file permissions so only your user can read/write them. 4) If you are concerned about privacy or untrusted code, consider running the plugin in an isolated environment or container, or review the full source to ensure there are no unexpected network calls or remote model fetching. If you want, I can scan package.json and the remaining source files for network calls and dependency risk indicators.
Findings: [system-prompt-override] expected: The prescan flagged potential system-prompt override patterns; SKILL.md and code intentionally inject memory XML blocks and (optionally) pinned rules into the system prompt/context. This is an intended capability for a proactive memory plugin but is precisely the pattern the scanner flagged, so treat it as expected but sensitive.

Review Dimensions

Purpose & Capability: okName/description match the implementation: the package reads OpenClaw's memory DB (read-only via sql.js), provides cross-encoder reranking, multi-hop search, a causal graph, episodic logging, and a sleep-cycle consolidator. It writes sidecar files under ~/.openclaw/memory and registers lifecycle hooks — all expected for a memory plugin.
Instruction Scope: noteSKILL.md instructs the plugin to auto-inject <relevant-memories> into the agent context and (optionally) pin YAML rules into the system prompt. It also optionally auto-captures high-value user messages to disk. These behaviors are consistent with the stated purpose but broaden the plugin's access to conversation content and the agent's system prompt when enabled; the doc clearly marks auto-capture and rule-pinning as opt-in.
Install Mechanism: okNo external download/install URLs in the provided manifest text; code is pure JS/TS with bundled dist and src files and appears to rely on npm dependencies (package.json present). No extract-from-URL installs or arbitrary remote executables were detected in the supplied files. This is a lower-risk install footprint compared with arbitrary binary downloads.
Credentials: noteThe skill requests no credentials or env-vars but reads HOME or OPENCLAW_HOME to access ~/.openclaw/memory and OpenClaw's main.sqlite (read-only). That is proportionate for a memory plugin. However, enabling auto-capture causes the plugin to write user messages to auto_captured.jsonl and episodes.jsonl — a privacy-sensitive behavior that is disabled by default.
Persistence & Privilege: notealways:false and the skill registers lifecycle hooks (before_agent_start, agent_end, before_compaction, session hooks) — expected for a plugin that proactively injects memories. It can add content to the system prompt (context.addSystemContent) and — if rule-pinning is enabled — pin YAML rules into the system prompt; because rule-pinning is opt-in and documented, this is acceptable but powerful and should be enabled only when you control the MEMORY.md file and trust the plugin.