OpenClaw Memory System
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real memory-system skill, but it needs review because it automatically stores and reuses conversation data, conflicts with its own local-only privacy claims, and encourages autonomous crypto payments.
Install only if you are comfortable with automatic long-term memory. Prefer local embeddings, do not give the agent wallet spending authority without explicit approvals, inspect the local database/dashboard regularly, and verify the package source/metadata before use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive details or incorrect/poisoned memories could be stored long-term and influence future agent behavior without the user re-approving each memory.
The skill is designed to automatically persist conversation-derived memories, including potentially secret facts, and reuse them in later prompts.
Automatic Learning - Extracts facts, preferences, and patterns from conversations ... Smart Retrieval - Injects relevant memories before each request ... Facts - "User's API key is abc123"
Use only with non-sensitive conversations unless the skill adds clear opt-in capture, secret redaction, memory review/delete controls, and provenance/trust labeling for injected memories.
A user may believe memories never leave the machine while memory text or queries may be sent to OpenAI for embeddings.
The privacy claim says nothing is sent externally, but the documented default embedding provider is OpenAI, and the static scan found OPENAI_API_KEY use with network sending.
All data stored locally (nothing sent to external servers) ... Embedding Options: 1. OpenAI (default)
Correct the privacy claims, make local embeddings the default for private mode, declare OPENAI_API_KEY in metadata, and clearly warn users before any memory content is sent to an external provider.
If an agent has wallet access, it could spend funds on this skill's Pro tier without the user noticing or approving the transaction at the time.
The documentation encourages agents to make a paid crypto subscription decision autonomously, without requiring explicit human confirmation or spending limits.
AI agents can autonomously pay for unlimited storage ... No human in the loop
Require explicit human approval for payment, document spending caps, and do not instruct agents to self-upgrade unless the user has pre-authorized that exact action.
Memories from different users, sessions, or agents could be mixed under the same default identity, causing privacy leakage or incorrect future recall.
The message-preprocessed hook falls back to a hardcoded wallet identity when no wallet is configured, then stores inbound message memories under that identity.
const wallet = process.env.OPENCLAW_MEMORY_WALLET || 'assistant-shrimp-main';
Skip memory capture when no explicit wallet/user identity is present, and require the identity boundary to be configured rather than using a shared fallback.
For a skill that installs hooks, stores private memory, and handles payments, inconsistent provenance makes it harder to verify who published the code and whether the reviewed package is the intended one.
This conflicts with the supplied registry metadata showing a different owner ID, slug, and version; the registry also lists source as unknown and no homepage.
"ownerId": "kn74bgzn68zbhdf3x58hj88ebs80hr3p", "slug": "openclaw-memory", "version": "1.0.0"
Publish consistent registry and package metadata, replace placeholder links with a real repository, and verify the package source before installing.