Fleet Memory Manager
WarnAudited by ClawScan on May 18, 2026.
Overview
The memory system is mostly coherent, but its templates add broad persistent memory, account-checking, local secret-note guidance, and a bootstrap instruction that can overreach beyond the stated memory purpose.
Install only if you are comfortable with a persistent agent memory system. Before using it, remove the BOOTSTRAP auto-follow/delete rule, do not store secrets in TOOLS.md, disable or explicitly scope email/calendar heartbeat checks, and tighten which memory files can be loaded in group chats.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A workspace file could change how the agent behaves on first run, and the agent may delete that file before the user has reviewed what happened.
The template makes an arbitrary local BOOTSTRAP.md authoritative and instructs the agent to delete it afterward, which could let untrusted or stale local instructions redirect the agent and remove evidence without user review.
If `BOOTSTRAP.md` exists, that's your initialization script. Follow it, get context about who you are, then delete it.
Treat BOOTSTRAP.md as user-provided context only, summarize it first, ask before following impactful instructions, and do not delete it without explicit approval.
Secrets placed in local notes could be read by future agent sessions, accidentally exposed in context, or mishandled by other tools or integrations.
The memory-manager template encourages storing API keys and SSH details in a local markdown file, which is sensitive credential handling outside the skill’s declared requirements and stated memory-management purpose.
Keep local notes (API keys, SSH details, voice preferences) in `TOOLS.md`.
Do not store API keys, SSH secrets, or tokens in plain workspace notes; use a dedicated secret manager or explicitly scoped credential mechanism.
If the agent has access to email or calendar tools from elsewhere, this skill could prompt recurring review of sensitive account data beyond what a user may expect from a memory setup skill.
The heartbeat template directs the agent to access email and calendar data on a recurring basis, but the registry declares no credentials and the skill is presented primarily as a memory manager.
### Email Check (every 2-4 hours during active hours) - Check for urgent unread messages ... ### Calendar Check (twice daily — morning + afternoon) - Upcoming events in next 24h
Make email/calendar monitoring optional, require explicit user opt-in, document required credentials, and scope exactly which accounts, folders, calendars, and notification channels may be used.
Private user profile or operational notes could influence responses in shared chats and increase the chance of accidental disclosure or poisoned memory affecting future behavior.
The template requires automatic memory loading, including USER.md and daily notes, even in group/shared contexts; those files are persistent and may contain personal preferences, project state, or other sensitive context.
**Don't ask permission to load memory. Just do it.** | Group chat / Discord channel | SOUL.md → USER.md → today/yesterday (NO MEMORY.md) |
Require explicit user approval for memory loading in shared contexts, avoid loading USER.md in group chats by default, and define redaction/exclusion rules for sensitive daily notes.
The agent’s future behavior can change overnight based on automated consolidation, including updates to MEMORY.md and USER.md.
The nightly cron is disclosed and purpose-aligned, but it creates ongoing autonomous activity that reads and updates persistent memory files.
Add a cron job to consolidate memory each night at 2 AM: 0 2 * * * openclaw cron run memory-consolidation --model anthropic/claude-opus-4-5 --channel <your-main-channel-id>
Use this only with a trusted channel and model, keep backups or diffs of memory changes, and review the consolidation log periodically.