User Context Scanner
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill matches its stated profiling purpose, but it automatically scans local memory and stores detailed personal profile evidence with limited user-control and privacy guarantees.
Install only if you are comfortable with the agent scanning OpenClaw memory files to build a persistent personal profile. Before use, check where ~/.openclaw/workspace/.soul/user-profile.json and user-evidence.jsonl are stored, decide whether raw evidence should be saved, and disable or constrain automatic scans/signals if you want manual control.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could update a long-lived personal profile based on local memory files without the user noticing each scanned source.
The scan operation bulk-reads local workspace memory Markdown files and extracts profile evidence. This fits the stated purpose, but it is high-impact local data processing and the artifacts do not clearly show per-scan approval, preview, or exclusion controls before profile updates.
const MEMORY_DIR = join(WORKSPACE, 'memory'); ... const files = readdirSync(MEMORY_DIR).filter(file => file.endsWith('.md')) ... const content = readFileSync(filePath, 'utf-8'); const evidence = extractEvidenceFromContent(content, file);Require explicit user approval before scans, show which files will be read, provide a dry-run preview of extracted evidence, and support clear opt-out/exclusion settings.
Sensitive facts and excerpts about the user may be stored and reused later, potentially influencing future agent behavior or exposing private data on the local machine.
The skill persists profile data and evidence as local JSON/JSONL files. Because the profile includes sensitive personal context and extracted evidence, persistent reuse across sessions needs stronger scoping, retention, deletion, and protection controls than the artifacts demonstrate.
const PROFILE_PATH = join(WORKSPACE, '.soul', 'user-profile.json'); const EVIDENCE_PATH = join(WORKSPACE, '.soul', 'user-evidence.jsonl'); ... writeFileSync(PROFILE_PATH, JSON.stringify(profile, null, 2), 'utf-8'); ... appendFileSync(EVIDENCE_PATH, line + '\n', 'utf-8');
Store only user-approved fields, minimize raw excerpts, add retention/deletion controls, clearly document where data is kept, and consider encryption or access controls for sensitive fields.
Users may trust the skill with sensitive personal details believing they are encrypted when the reviewed code does not show encryption.
The documentation claims encrypted local storage and extra protection for sensitive fields, but the provided code writes JSON and JSONL profile/evidence files directly with no visible encryption. This could overstate the privacy protection users receive.
所有画像数据本地加密存储 敏感字段额外加密保护
Either implement encryption for profile and evidence files or revise the documentation to accurately state that data is stored locally in plaintext.
If other components can send signals, they may influence when the profile is updated.
The skill is designed to process signals from a proactive engine and automatically update the profile. This is disclosed and purpose-aligned, but the artifacts do not describe signal origin validation or permission boundaries.
该skill通过`--process-signal`参数与proactive-engine信号系统集成,支持自动更新用户画像。
Document which signal sources are trusted, what each signal can trigger, and whether the user can disable automatic signal-based profile updates.
If a user installs dependencies manually, the exact packages resolved may differ from what was reviewed.
The package declares ranged npm dependencies, while the review context has no install spec and the supplied lockfile does not appear to cover all declared dependencies. There is no automatic install shown, so this is a provenance/setup note rather than a direct execution concern.
"dependencies": { "date-fns": "^3.6.0", "natural": "^6.11.2", "commander": "^11.0.0", "chalk": "^5.3.0" }Provide a complete lockfile or pin dependencies, and document the installation command and expected dependency set.