Skillv0.1.0

ClawScan security

DreamMoon MemProcessor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 6:32 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package generally matches a persona/memory service but contains several surprising or risky implementation choices (default filesystem paths, pickle use, unauthenticated HTTP, config-reading behavior) that are disproportionate to an install-only instruction and warrant review before use.
Guidance: What to consider before installing/starting this skill: - The code implements a full local memory service (HTTP API, SQLite, markdown files, FAISS) and will create and modify files on disk. By default it writes under /root/.openclaw — review and change BASE_DIR before running if you don't want data in that path. - The HTTP API appears unauthenticated by default (ALLOWED_ORIGINS='*', API_KEY default empty) and the app binds to 0.0.0.0 by default; this can expose your data and endpoints to other machines. Do not run it on a network-exposed host without adding authentication and binding to localhost. - L1 uses Python pickle.loads when reading cached data. Pickle is unsafe for untrusted data because it can execute arbitrary code. Only run this service in a trusted environment and avoid feeding it untrusted serialized inputs. - ConfigSync can load arbitrary JSON/YAML files and will create personas from them; be careful not to point it to sensitive system files. Similarly, the service persists truncated content (e.g., L4 stores first 500 chars) which may include secrets — review retention/archival policies. - SKILL.md/README use different ports (9090 vs 8080) — double-check configuration before exposing the service. - Inspect requirements.txt and memory-manager.sh (not shown or truncated) before pip installing or running any startup scripts; FAISS and other binary packages can be heavy and may require special installation steps. Recommended actions: - Run in an isolated environment (VM, container) with controlled network access. - Change BASE_DIR to a non-root path you control and confirm permissions. - Set API_KEY and implement authentication or bind the service to localhost only. - Inspect memory-manager.sh and any omitted files for networking/backups before use. - If you prefer minimal risk, use a reviewed hosted memory API or a smaller, read-only instruction-only skill instead of running this code locally.

Review Dimensions

Purpose & Capability: noteThe codebase implements a multi-layer memory + persona engine (L1-L4, persona APIs, embedding/FAISS storage), which aligns with the skill name/description. However some defaults and extras are unexpected for a drop-in OpenClaw skill: a hard-coded BASE_DIR default of /root/.openclaw, on-disk archive/markdown storage and FAISS vector index creation, and a ConfigSync that can load arbitrary JSON/YAML files. These are plausible for a standalone memory service but are heavier and more invasive than a minimal 'agent skill' that only needs to call an external API.
Instruction Scope: concernSKILL.md instructs to pip install requirements and run start-simple.py. The runtime code will create directories under BASE_DIR, write and delete files (L3/L4), initialize a SQLite DB, and expose an HTTP API. The example curl in README/SKILL.md uses port 9090 while config default is 8080 (inconsistency). There is no instruction to secure the API; routes shown do not perform authentication checks. ConfigSync can read an arbitrary config_path (JSON/YAML/directory) and will feed that into persona creation — this could lead to the service reading local files if misused. L1 deserializes with pickle, which can execute arbitrary code if given crafted data. These behaviors expand the runtime scope beyond a simple helper and could expose or persist sensitive data.
Install Mechanism: okThere is no install spec in the registry (instruction-only). The package includes a requirements.txt and many Python modules; installation is via pip install -r requirements.txt as instructed. Notable runtime dependencies are faiss/numpy/SQLAlchemy/fastapi which are expected for a local vector/indexing service. No downloads from untrusted URLs are present in the provided files. Because it's instruction-only, the installer will fetch these packages from PyPI (normal risk).
Credentials: concernThe registry declares no required env vars, but the application uses a Settings object that reads .env and exposes many configuration options (REDIS_PASSWORD, API_KEY, REDIS_HOST, etc.). Defaults allow the service to run without credentials, but that means data will be stored on disk and served without authentication by default (ALLOWED_ORIGINS=['*'], API_KEY empty). Requests for env vars are not explicit in SKILL.md, so the implicit reliance on .env and filesystem config is disproportionate and should be made explicit.
Persistence & Privilege: concernThe service persists files under BASE_DIR (default /root/.openclaw), creates a SQLite DB, writes FAISS indexes and tar.gz archives, and deletes original files when archiving. It therefore will create and modify persistent storage on the host. The skill is not marked always:true, but its default behavior will write data under a root-owned path and open an unauthenticated HTTP API (host default 0.0.0.0), increasing blast radius if run on a network-accessible host.