Dream
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Dream is mostly a disclosed memory-management skill, but it keeps a permanent archive of forgotten memories and exposes a helper that can overwrite files outside the intended memory vault.
Install only if you are comfortable with a local agent maintaining long-term memory automatically. Review the ledger and removed-entry behavior carefully, because `dream forget` does not truly erase archived memories. Before using it, constrain the atomic-write helper to the intended memory/vault paths, pin the source version, and back up your OpenClaw workspace.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Information a user asks the agent to forget may remain stored locally forever and can be reintroduced into future context.
The skill explicitly says a forget request does not remove the permanent ledger copy, and later matching content can automatically restore the entry into active memory.
`dream forget <描述>` ... `无需确认,直接执行。` ... `ledger 中的记录不受 dream forget 影响,永久保留` ... `自动触发 re-emergence,重新写入 MEMORY.md`
Add a true purge/delete option for ledger and removed-entry records, require confirmation for forget operations, and let users disable re-emergence for deleted memories.
If the agent misuses this helper or is steered into passing the wrong path, it could overwrite arbitrary user-writable files.
The helper accepts any target file path and replaces it with the provided tmp file; only MEMORY.md gets an extra size check, and there is no path allowlist limiting writes to the OpenClaw workspace or DREAM_VAULT_PATH.
`cmd_atomic_write() { local target="${1:-}" ... ensure_dir "$target" ... mv "$tmpfile" "$target" }`Restrict atomic writes to approved paths such as the resolved MEMORY.md and DREAM_VAULT_PATH files, reject path traversal or absolute paths outside those roots, and log the resolved destination before replacing files.
Users may believe the skill cannot write outside its vault or workspace when one documented helper can replace other writable files.
This safety claim is stronger than the visible helper implementation supports, because the atomic-write command accepts an arbitrary destination path.
`All file operations are strictly scoped to DREAM_VAULT_PATH and the OpenClaw workspace`
Either enforce the stated scope in code or narrow the README security claim to match the actual behavior.
Your memory files may change overnight without a visible conversation message.
The scheduled silent behavior is clearly disclosed and central to the skill, but it means the agent can autonomously read and update persistent memory without an interactive prompt each time.
`Run dream review --scheduled every day at 03:30` ... `Dream distills at 03:30 every night, runs silently, and never interrupts you.`
Use the schedule only if you want autonomous maintenance, and consider requiring a brief daily summary or approval before applying memory changes.
Installing later from the repository could fetch code different from the reviewed version.
The documented install flow runs a shell helper from an unpinned GitHub branch. This is a common setup pattern, but it gives the repository owner supply-chain influence over what users install.
`git clone https://github.com/teman2050/dream-skill dream` ... `chmod +x dream/dream-tools.sh`
Pin installation to a reviewed commit or release tag and inspect the shell script before making it executable.