Workspace Hygiene Publish
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do the advertised local workspace hygiene audit, with disclosed memory scanning, persistent reports, optional file fixes, and an optional weekly run to review before enabling.
This looks coherent for a workspace maintenance skill. Before installing, be aware that it scans local OpenClaw memory/project files and writes reports. First run it in report-only mode, review the output, and only use --fix or weekly HEARTBEAT scheduling if you are comfortable with recurring local audits and possible memory-file edits.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with --fix, the skill may change workspace memory files by consolidating timestamped entries.
The script includes an explicit fix mode that can write merged memory content back into the workspace. This is aligned with the hygiene purpose and not enabled by the default command, but it is still local file mutation.
parser.add_argument("--fix", action="store_true", help="Apply low-risk fixes.") ... target_path.write_text(merged, encoding="utf-8")Run it without --fix first, review the report, and keep backups or version control before applying fixes.
Private memory structure, project names, and hygiene findings may become part of a saved report that future agents can read.
The skill reads persistent memory/RAG-related workspace files and writes a persistent hygiene report. This is core to the skill, but those files may influence future retrieval and agent context.
Scans `memory/` ... Validates that recent memory entries ... Writes a report to `projects/system/hygiene-YYYY-MM-DD.md`
Use it only on intended workspaces and review generated reports before treating them as authoritative context.
If enabled, the agent may run this hygiene audit repeatedly and create new reports over time.
The artifacts document a recurring weekly workflow if the user adds it to HEARTBEAT.md. This is disclosed and purpose-aligned, but it is still a form of persistent scheduled agent behavior.
Maintains clean, RAG-friendly workspaces across all agents. Runs on demand or weekly. ... Add to `HEARTBEAT.md`: `## Weekly Hygiene (Monday)`
Enable the weekly heartbeat only if you want recurring audits, and avoid adding --fix to automated runs unless you are comfortable with automatic file changes.