Skillv1.2.0

ClawScan security

Layered Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 12, 2026, 10:40 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description (a local memory layer manager) is plausible, but the package and runtime instructions depend on external scripts/paths that are not included and use execSync to run files under your HOME — the mismatch and missing files are concerning and deserve verification before use.
Guidance: This skill appears to implement the claimed layered-memory functionality, but it has notable inconsistencies that you should resolve before installing or running it with real data: 1) Verify the external scripts it calls (~/clawd/scripts/generate-layers-simple.js, memory-extractor.js, memory-archiver.js) actually exist and inspect their contents — the package does not include them. 2) Do not run this on sensitive conversation data until you confirm the helper scripts are trusted; execSync will execute whatever code is at those locations. 3) Confirm the publisher/source (none provided) and ask for a release that bundles all necessary components or documents required runtime files. 4) Consider running in an isolated environment (container or VM) and back up your ~/clawd memory files before use. 5) If you need a safer choice, prefer a version that includes all scripts in the package or one from a known homepage/repository with a validated LICENSE and reproducible build.
Findings: [use-of-child_process.execSync] expected: index.js uses execSync to run scripts under ~/clawd/scripts. Running local helper scripts is expected for a CLI wrapper, but because those helper scripts are not bundled, execSync will execute files from the user's HOME — a risky implicit dependency.

Review Dimensions

Purpose & Capability: concernThe skill claims to be a self-contained L0/L1/L2 memory manager, but its code expects multiple scripts and files in ~/clawd/scripts (e.g. generate-layers-simple.js, memory-extractor.js, memory-archiver.js) that are not bundled. test.js also expects a LICENSE file and scripts under the user's HOME. Requiring external files in the user's home without declaring them is disproportionate to the described purpose and will cause failures or silently execute whatever is present there.
Instruction Scope: noteSKILL.md describes benign CLI usage (generate/read/search) and integration guidance (cron, hooks). However documentation and code instruct reading/writing many files under HOME (~/clawd, ~/.clawd, memory daily files) and installing cron/hooks. The hook injects a bootstrap reminder into agent bootstrapFiles. These actions are consistent with a memory manager, but they also give the skill access to conversation contents and local files — so verify you want a skill that will read/write your workspace memory files.
Install Mechanism: concernThere is no install spec (instruction-only), but the published bundle includes operational code (index.js, hooks, tests). The code runs child_process.execSync to execute scripts located in ~/clawd/scripts. Because the skill does not bundle those scripts, it implicitly depends on arbitrary files in the user's HOME; this is risky because execSync will execute whatever is present at those paths.
Credentials: concernThe manifest declares no required env vars, but lib/config-loader will read environment variables prefixed with LAYERED_MEMORY_. index.js and many docs rely on process.env.HOME and global paths. More importantly, the skill reads/writes user memory files and state files (e.g. ~/.clawd/.memory-checker-state.json, ~/clawd/memory/daily/...) — appropriate for a memory manager but sensitive. The package does not declare or justify its dependency on external scripts in HOME, nor include a LICENSE file referenced by tests, which is inconsistent.
Persistence & Privilege: notealways:false (good). The skill installs an OpenClaw hook (handler.js) that injects a bootstrap reminder into agent context — expected for a memory helper. Combined with autonomous invocation and the ability to exec local scripts, this increases impact if the external scripts or paths are untrusted. The skill does not request other skills' configs, but it will read/write local memory files and state files.