Skillv0.1.0

ClawScan security

Memorist Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 12, 2026, 11:42 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and install steps mostly match its memoir/interview purpose, but it writes agent system prompts, modifies Openclaw bindings (creates persistent per-narrator agents), and a prompt-injection pattern was detected — review the generated agent templates and config changes before installing.
Guidance: This skill appears coherent with a local-first memoir tool, but it requests the installer create persistent per-narrator agents and to modify your Openclaw bindings and agent list. Before installing or running /memorist_agent spawn: 1) Inspect the template files (templates/memorist/*) and AGENTS.md that will be copied into the narrator workspace — this becomes the system prompt for the spawned agent. 2) Backup ~/.openclaw/openclaw.json and review any binding entries the skill proposes to add so you know which phone numbers/peers will be routed to new agents. 3) If you plan to enable voice transcription, confirm the pip/homebrew package names (mlx-whisper, openai-whisper) are the tools you want and install them manually if you prefer. 4) Be aware that spawned agents will run autonomously for their bound peer; only spawn agents for phone numbers/people you control. 5) If you are uncomfortable with automatic creation of agents or modifications to openclaw.json, use 'relay' or manual interview modes instead (no spawn needed). If you want a safer test, install in a disposable or backup environment first or run the skill without executing spawn/despawn steps.
Findings: [system-prompt-override] expected: The SKILL.md includes explicit instructions to write an AGENTS.md that becomes the narrator-agent's system prompt (this is expected for spawning per-narrator agents). However, this is exactly the pattern flagged by the scanner: skill-written system prompts can override/define agent behavior and must be reviewed carefully. The content contains explicit behavioral constraints that will be embedded into spawned agents (e.g., 'NEVER expose internal thinking', 'do it silently with tools'). That is legitimate for user privacy but also a potential prompt-injection vector if templates are maliciously altered.

Review Dimensions

Purpose & Capability: okThe skill is an oral-history / interview agent and the declared capabilities (local storage under ~/.openclaw, WhatsApp/relay modes, optional STT via mlx-whisper / openai-whisper) line up with its stated purpose. Allowed tools (file_read, file_write, whatsapp_send_message, fetch, web_search) are plausible for interviewing, transcript lookup, and optional media/API calls.
Instruction Scope: noteThe SKILL.md instructs the agent to read/write narrator data under ~/.openclaw/memorist_agent/, copy template files, spawn isolated narrator agents, and add peer-level bindings to ~/.openclaw/openclaw.json. Those actions are within the skill's domain but expand scope to system-level config (bindings) and creating independent agents. Also: the instructions explicitly create a narrator agent system prompt (AGENTS.md) and instruct it to operate silently (save first, then reply). That is expected for 'spawn' behavior but is a higher-privilege operation and worth human review. The SKILL.md also contains an instruction to reply even if a save failed (retry once, then reply anyway) which could cause data-not-saved situations — this is an operational oddity to be aware of.
Install Mechanism: okInstall steps are limited to installing local STT tools: pip3 install mlx-whisper (Apple Silicon) and a Homebrew formula openai-whisper. These are standard package distribution mechanisms (pip/homebrew) rather than arbitrary downloads. No remote archive/extract URLs or unknown servers were requested.
Credentials: okThe skill declares no required environment variables, no external API keys, and no unexpected credential requests. The permissions it needs (filesystem access under ~/.openclaw and the ability to call Openclaw gateway commands or gateway bindings) are proportionate to its functionality. There are no unrelated secrets or credential asks in the metadata.
Persistence & Privilege: concernThe skill instructs creating persistent, per-narrator agents and adding peer-level bindings to the user's global openclaw.json, which routes inbound messages directly to those spawned agents. That gives the spawned agents autonomous, persistent access to inbound messaging for the bound peer. While this matches the described auto-reply use-case, it is a relatively powerful and persistent change to your Openclaw configuration — examine the templates and produced agent workspace (AGENTS.md, owner.json, bootstraps) before spawning. Combine this with the included system-prompt content (see scan findings) and the overall blast radius is higher than a purely instruction-only skill.