我的脑子
PassAudited by ClawScan on May 10, 2026.
Overview
This is a no-code memory-organization skill; its main risk is that it asks the agent to keep and reuse persistent user-memory files, which is disclosed and aligned with its purpose.
This skill appears safe to install as an instruction-only memory template, but treat its memory files as persistent personal notes. Review what gets written, avoid secrets, be cautious with heartbeat automation, and do not assume encryption unless your OpenClaw environment separately provides it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Old, incorrect, or overly personal memory entries could shape future answers until the user reviews or edits the files.
The skill explicitly tells the agent to read persistent memory and user-profile files at the start of sessions, so stored content can influence future behavior.
每个会话开始时读取:1. SOUL.md ... 2. USER.md ... 3. memory/YYYY-MM-DD.md ... 4. MEMORY.md
Review USER.md, MEMORY.md, and daily memory files regularly; avoid storing secrets or sensitive personal details; ask the agent to confirm before adding important memories.
If enabled, the agent may maintain memory on a schedule rather than only during direct user requests.
The skill documents an optional recurring heartbeat-style reflection task that can update persistent memory.
可在 HEARTBEAT.md 中配置每日反思任务:... 更新 MEMORY.md
Only enable HEARTBEAT.md automation if you want scheduled memory updates, and keep the scope of those updates narrow and reviewable.
Users might assume memory records are encrypted when the skill itself does not provide encryption.
The rule claims conversation records should be encrypted, but the provided artifacts are Markdown instructions/templates with no encryption implementation or install mechanism.
对话记录:加密存储
Do not rely on this skill alone for encryption; use platform-level encrypted storage or avoid writing sensitive information into memory files.
A user looking for the setup script may find the package incomplete or inconsistent.
The documentation lists a setup script, but the supplied manifest and code-file summary show no script files. There is no instruction to run it, so this is a packaging/documentation inconsistency rather than evidence of hidden execution.
scripts/ └── setup.sh # 安装引导脚本
Install using the documented ClawHub/manual copy method and ignore absent scripts unless the publisher supplies them in a future reviewed package.