Dream
WarnAudited by ClawScan on May 10, 2026.
Overview
Dream's memory features match its purpose, but it keeps a permanent archive that can restore forgotten memories and includes an overbroad file-write helper, so users should review it carefully before installing.
Install only if you are comfortable with an agent maintaining long-term personal memory. Before enabling the 03:30 schedule, decide whether permanent archive retention and automatic re-emergence are acceptable, set DREAM_VAULT_PATH deliberately, back up MEMORY.md, and consider restricting dream-tools.sh so it can only write inside the OpenClaw workspace and Dream vault.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive personal information may remain stored and may reappear in future agent context even after the user believes it was forgotten.
The skill stores memories permanently, does not delete the permanent archive when the user asks to forget something, and can automatically restore a forgotten item into active memory.
`ledger.md` ← 永久档案,只追加,永不删除 ... `dream forget` ... ledger 中的记录不受 `dream forget` 影响,永久保留 ... 后续对话中若该内容再次出现,自动触发 re-emergence,重新写入 MEMORY.md
Add an explicit purge option for the ledger, disable re-emergence for user-forgotten items unless the user consents, and clearly separate active memory deletion from permanent archive retention.
If invoked incorrectly or influenced by bad instructions, the helper could overwrite local files outside the intended memory vault.
The helper accepts an arbitrary target path and moves a temp file over it, with the size check only applying to MEMORY.md and no visible restriction to the OpenClaw workspace or Dream vault.
`--atomic-write <target-file> <tmp-file>` ... `其他文件只做存在性校验` ... `ensure_dir "$target"` ... `mv "$tmpfile" "$target"`
Restrict atomic writes to an allowlist such as MEMORY.md and files under DREAM_VAULT_PATH, reject absolute or parent-traversal paths outside those roots, and create backups for destructive replacements.
Memory and archive files may change overnight without a prompt or visible message.
Scheduled silent execution is disclosed and aligned with the skill's stated purpose, but it still means the agent can update persistent memory and retry later without notifying the user.
**全程自动,静默执行(03:30 触发时不推送任何消息)。** ... `dream-tools.sh --check-idle → busy? 写 pending,15分钟后重试,上限 06:00`
Only enable the schedule if you want unattended memory maintenance; prefer visible logs, an opt-out switch, and a manual-review mode for sensitive environments.
Users may not realize the skill depends on local shell tools and a vault path until reading the skill documentation.
The registry metadata under-declares setup compared with the skill files, which reference jq/wc, DREAM_VAULT_PATH, and manual installation steps. This affects transparency but is not by itself malicious.
Source: unknown ... Required binaries: none ... Required env vars: none ... No install spec — this is an instruction-only skill.
Declare jq/wc, DREAM_VAULT_PATH, and the reviewed source/install method in metadata so users can evaluate the real setup requirements before installation.