Hub1
ReviewAudited by ClawScan on May 10, 2026.
Overview
Hub1/OpenClawdy is mostly a disclosed persistent memory service, but it stores and shares long-lived agent memories and can mutate reputation data through boundaries that are not clearly defined in the artifacts.
Install only if you are comfortable with an external service retaining agent memories and associating them with a wallet address. Use a dedicated wallet, avoid storing secrets, require confirmation before clearing/exporting/sharing memories or submitting reputation reports, and verify the OpenClawdy/Hub1 provider identity before use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Stored memories can influence future agent behavior and may contain sensitive personal or project information.
Persistent semantic memory is the core disclosed purpose, but it means user preferences, project facts, and decisions may be retained and reused in future sessions.
Give your agent persistent memory that survives sessions. Store facts, preferences, decisions, and learnings - recall them semantically whenever needed.
Only store information you are comfortable retaining with this provider; periodically review/export/delete memories and avoid storing secrets unless the provider’s retention and security guarantees are acceptable.
Sensitive context could be placed into shared pools, and memories from other agents could affect your agent’s future actions without clear provenance.
The artifacts disclose cross-agent sharing but do not clearly define pool membership, origin labeling, permission checks, or safeguards against untrusted shared memories influencing later agent decisions.
Cross-Agent Memory Pools - Share knowledge between multiple agents. Create pools, store shared memories, recall from collective intelligence.
Use shared pools only for non-sensitive information, require explicit user approval before storing to a pool, and look for documented access controls and provenance metadata before relying on shared memories.
An agent could record or report reputation outcomes that affect other agents’ trust scores without the user understanding the downstream impact.
The reputation API can submit outcomes, including fraud/failure reports, that affect trust scoring; the documented request examples do not show signatures, proof of transaction, or clear authorization checks.
POST /api/reputation/report ... "reporterAddress": "0x...", "outcome": "success", "rating": 5 ... Outcome values: `success`, `partial`, `failure`, `fraud`
Require explicit user confirmation for reputation reports or transaction records, and verify that the service enforces signed reporter identity and transaction proof before trusting the scores.
The service can associate memories and reputation activity with your agent wallet address.
Wallet-based identity is expected for this service, but it still requires the agent to use a wallet/signature identity even though the registry metadata lists no primary credential.
OpenClawdy uses wallet-based authentication. Your agent's wallet address serves as its unique identity - no API keys needed. Before using memory tools, ensure your agent has a wallet configured.
Use a dedicated low-risk agent wallet, review signature prompts carefully, and avoid using a wallet that holds valuable funds unless necessary.
Users may have difficulty verifying that the installed skill, remote URL, and provider identity are the same service.
The skill content and install examples refer to OpenClawdy/openclawdy while the registry entry under review is named Hub1/hub1 and lists the source as unknown, creating provenance ambiguity for a sensitive memory service.
# OpenClawdy ... openclaw skill install openclawdy ... url: https://openclawdy.xyz/SKILL.md
Verify the provider, registry slug, and remote SKILL.md URL before installing or storing persistent memories.