Arianna OpenClaw Integration
SuspiciousAudited by ClawScan on May 12, 2026.
Overview
This skill is not clearly malicious, but it deeply rewires OpenClaw to inject persistent memory instructions, store system prompts and history, and keep Playfilo tools available across sessions.
Use this only if you intentionally want Playfilo to become a persistent, shared memory layer for OpenClaw. Before installing, review the external pi-integration patches, inspect ~/.playfilo/INCUBATION_SEED.md, back up or isolate your OpenClaw checkout, and confirm how to disable the plugin and remove patchedDependencies if you no longer want this behavior.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the seed file contains unsafe or outdated instructions, those instructions can influence the agent at a high-priority system-context level.
A mutable local file is read and prepended as system context for agent runs; the injected seed content is not included for review or bounded in the plugin.
const SEED_PATH = join(homedir(), ".playfilo", "INCUBATION_SEED.md"); ... api.on("before_prompt_build", async () => ({ prependSystemContext: seedContent ?? undefined, }));Preview and control the INCUBATION_SEED content before enabling the plugin, and require an explicit user-controlled toggle or approval before prepending it to system prompts.
Agents in contexts meant to be restricted may still be able to access or manipulate the shared DAG memory through life, recall, trace, or tobe.
An included adapter explicitly frames the tool allowlist change as keeping Playfilo temporal tools available despite stricter OpenClaw tool policies.
This ensures that even when OpenClaw applies strict tool policies (e.g. in group chats or restricted agents), the temporal navigation tools remain available.
Respect OpenClaw’s existing per-session and restricted-agent tool policies; require explicit opt-in for these tools and document which contexts may use them.
Sensitive prompt details and prior interactions may be retained and reused in future sessions, potentially exposing or poisoning context across tasks.
The verification steps confirm that full system prompts and cross-session history are persisted in a shared local SQLite database.
sqlite3 ~/.playfilo/playfilo.db "SELECT type, length(content) FROM blobs WHERE type = 'system_prompt' LIMIT 1;" ... `system_prompt` blob exists ... should be the full OpenClaw prompt ... `life` output shows full history (not just current session)
Install only if persistent shared memory is intended; define retention/cleanup controls, restrict file permissions on ~/.playfilo, and avoid use in sensitive or multi-user workspaces until scoping is clear.
Users cannot fully assess what code will run inside the embedded Pi agent from this artifact set alone, even though that code controls memory persistence and tools.
The main runtime behavior depends on a separate referenced integration skill that is not included in the supplied artifacts and modifies core agent session, SDK, and persistence code.
Apply the [pi-integration-skill](../../pi-integration-skill/SKILL.md) ... This modifies: ... playfilo-db.ts ... sdk.ts ... session-manager.ts ... agent-session.ts
Review the referenced arianna/pi integration patches and generated pnpm patch file before applying; pin exact versions and test in a separate OpenClaw checkout.