v1.1.0

Secretary Memory Hook

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 8:37 PM.

Analysis

This memory hook has a plausible purpose, but it automatically persists message content and runs unbundled Python scripts through unsafe shell commands.

GuidanceInstall only if you already trust the separate secretary-memory scripts, accept automatic storage and recall of message content, and are comfortable with this hook running code on session events. Prefer an updated version that declares its dependencies, avoids shell interpolation, uses configurable storage paths, and provides opt-in memory controls.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

handler.ts

const cmd = `python3 ${script} ${args.join(" ")}`; ... await execAsync(cmd, { timeout: 60000 });

The handler builds a shell command by joining event-derived arguments without quoting or escaping, so shell metacharacters in those arguments can change the executed command.

User impactA malformed or crafted session event value could cause the hook to run unintended shell commands under the OpenClaw process permissions.

RecommendationReplace shell exec with execFile/spawn using an argument array, validate session IDs, and avoid interpolating event data into shell strings.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

handler.ts

const SKILL_SCRIPTS = "/root/.openclaw/workspace/skills/secretary-memory/scripts";

The skill depends on external Python scripts at an absolute path, but those scripts are not part of this package’s file manifest and there is no install spec pinning or verifying them.

User impactThe hook may execute code from a separate, unreviewed local installation, so the reviewed package does not fully represent what will run.

RecommendationBundle or pin the required scripts, declare the dependency in install metadata, and verify script provenance before enabling the hook.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

handler.ts

await runPython(`${SKILL_SCRIPTS}/session_summary.py`, ["--session-id", sessionKey, "--verbose"]);

The hook automatically executes Python scripts on session events, using the shell-based runPython helper and external scripts outside the reviewed artifact set.

User impactInstalling the hook gives it automatic code-execution behavior during normal session lifecycle events.

RecommendationUse direct process execution with fixed paths and sanitized arguments, and clearly disclose all scripts that will run automatically.

Cascading Failures

SeverityMediumConfidenceMediumStatusConcern

HOOK.md

`message:sent` | 增量记录回复内容到日志 ... `session:compact:after` | 运行 `context_loader.py` 加载上下文

The hook records message content into memory and later loads historical context after compaction, so bad or sensitive content can propagate across session boundaries.

User impactA single incorrect, malicious, or sensitive message could be saved and reintroduced into later conversations.

RecommendationAdd containment controls such as per-session opt-in, validation, deduplication, user review before recall, and easy deletion of stored memory.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusConcern

handler.ts

if (type === "message" && action === "sent") { await handleMessageSent(event); return; }

The actual handler includes a message:sent auto-logging path, while the main SKILL.md description presents the hook as based on compact-before and compact-after events.

User impactUsers may install the skill expecting only compaction-time memory behavior, not logging after every sent message.

RecommendationUpdate SKILL.md and metadata to disclose all triggers, storage behavior, script names, and disabled features consistently.

Rogue Agents

SeverityInfoConfidenceHighStatusNote

SKILL.md

Hook 会自动被 OpenClaw 发现并启用

The hook is designed to be automatically discovered and enabled, so it will keep reacting to configured events until disabled.

User impactThis is consistent with the hook’s purpose, but users should understand it is persistent event-driven behavior rather than a one-time command.

RecommendationEnable it only if continuous memory automation is desired, and know how to list, check, and disable the hook.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceMediumStatusNote

handler.ts

const logPath = `/root/.openclaw/workspace/memory/daily/.增量日志_${sessionKey}.mdl`;

The hook writes inside a hard-coded root OpenClaw workspace path using the privileges of the hook process, even though the metadata declares no required config paths.

User impactThe skill does not request external account credentials, but it does rely on local workspace permissions and can mutate files in the OpenClaw memory area.

RecommendationInstall only if this workspace path is expected, and prefer a declared, user-configurable storage location with clear write boundaries.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

handler.ts

const content = event.context?.content || ""; ... require("fs").appendFileSync(logPath, logLine);

The hook automatically persists message content snippets into a hidden daily memory log, creating reusable memory from conversation data.

User impactSensitive or misleading content from a conversation may be stored and later influence future sessions through the memory system.

RecommendationMake message logging opt-in, sanitize stored content, provide retention/deletion controls, and clearly mark recalled memory as untrusted context.