Memory Enhancer Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears local and memory-related, but it has path and scope inconsistencies that could make it read sensitive OpenClaw memory/profile files and write stats into a different skill folder.
Install only if you are comfortable with local scripts reading OpenClaw memory/profile files. Before using optimization or scheduling, verify the install path, fix the hard-coded memory-enhancer directory if needed, disable unwanted schedules, and back up your memory files before any cleanup.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may confuse or modify another memory-enhancer installation’s configuration/stat files, making behavior harder to predict or roll back.
This evaluated skill is named/slugged as a Pro variant, but this hard-coded path points at skills/memory-enhancer; the script later writes token-stats.json under that parent config directory, which can create or overwrite files outside the Pro skill’s own folder.
OPTIMIZER_CONFIG = WORKSPACE / "skills" / "memory-enhancer" / "config" / "token-optimizer.json"
Before installing, verify the actual install directory and change hard-coded paths to the current skill directory, preferably using paths relative to the script.
Local memory/profile files may be inspected and summarized as token counts, which could reveal what kinds of persistent context exist even though the code does not upload contents.
The optimizer reads persistent OpenClaw memory, session state, user profile, and agent files to calculate token statistics; this is purpose-aligned but involves sensitive local context.
files_to_check = [MEMORY_FILE, SESSION_STATE, WORKSPACE / "USER.md", WORKSPACE / "SOUL.md", WORKSPACE / "AGENTS.md"]
Use this only if you are comfortable with local scripts reading these OpenClaw workspace files, and avoid storing secrets in memory/profile files.
Running cleanup with --execute can permanently remove older local memory files.
The cleanup script can delete dated memory/*.md files older than the configured retention window; it defaults to dry-run unless --execute is supplied, so the deletion is bounded and user-directed.
else:
md_file.unlink()
log_success(f"已删除:{md_file.name}")Run dry-run first, back up ~/.openclaw/workspace/memory, and only use --execute after reviewing the files that will be removed.
If a scheduler is connected to this config, the skill can keep running periodically and writing logs/stats without a fresh manual command each time.
The package ships a schedule configuration marked enabled, and the scheduled-optimizer script supports recurring analyze/compress/suggest tasks, although the documentation says cron setup is manual.
"enabled": true,
"schedule": {
"analyze": "0 8 * * *",
"compress": "0 3 * * 0",
"suggest": "0 8 * * 1"
}Check and disable the schedule config unless you intentionally want recurring optimization; only add cron entries after testing manually.
It may be harder to know exactly which release or code lineage you are installing.
The skill documentation contains multiple conflicting version labels, and the registry metadata separately lists version 0.1.5 with unknown source/homepage, which weakens provenance clarity.
version: 2.0.0 ... **版本:** 1.0.0 ... **版本:** 1.0.1
Prefer a package with consistent versioning and a verifiable homepage/source, or manually inspect the included files before use.