Back to skill
Skillv0.2.2
ClawScan security
Dream · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 6:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (proactive maintenance and archiving of MEMORY.md) matches the files and runtime instructions; it operates locally on workspace and vault paths, asks for no secrets, and installs only a small JSON utility dependency (jq).
- Guidance
- This skill appears coherent and implements what it claims: local distillation, archiving, and re-emergence tracking. Before installing: (1) verify the skill's source (SKILL.md references https://github.com/teman2050/dream-skill but registry metadata had 'source unknown'); (2) back up your existing MEMORY.md and any important workspace files; (3) review dream-tools.sh yourself (it runs locally and will modify files under your OpenClaw workspace and the configured DREAM_VAULT_PATH); (4) ensure jq and the OpenClaw CLI are installed and available on PATH; (5) if you want to limit automatic writes, avoid enabling the schedule or only allow manual invocation. If you are unsure about the origin or don't want a skill to autonomously modify your memory files, treat this as a manual tool instead of enabling scheduled/autonomous runs.
Review Dimensions
- Purpose & Capability
- okThe name/description (memory distillation, maintain MEMORY.md, archive to a ledger) align with the included script and SKILL.md. The script reads OpenClaw memory files, writes MEMORY.md and vault files, and calls the openclaw CLI — all expected for this purpose.
- Instruction Scope
- noteInstructions and the shell script are narrowly scoped to reading memory/YYYY-MM-DD.md, updating MEMORY.md, and writing a vault under DREAM_VAULT_PATH. The skill will run 'openclaw agent status' to check idle state and can perform immediate writes during conversations. This is expected, but users should accept that the skill autonomously modifies MEMORY.md and creates/updates files under the configured vault.
- Install Mechanism
- okNo download/install spec beyond recommending jq via brew/apt; the skill is instruction-only with a local shell script. There are no external archive downloads or obscure URLs in the provided materials.
- Credentials
- noteThe skill declares a configurable DREAM_VAULT_PATH and uses OPENCLAW_WORKSPACE (with sensible defaults); it does not request credentials or secrets. Minor inconsistency: registry metadata lists no required env vars while SKILL.md documents DREAM_VAULT_PATH as config — the script supplies defaults so explicit envs are optional.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide privileges. It writes only to the OpenClaw workspace and the user-configured DREAM_VAULT_PATH, and it does not modify other skills' configs. Autonomous invocation is allowed (platform default) which is necessary for scheduled/distillation behavior.