Back to skill
Skillv0.1.21
ClawScan security
OpenClaw Memory OS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 30, 2026, 11:39 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions ask you to globally install and run an external npm package that has filesystem-wide collection capabilities, but the SKILL.md, readme, and registry metadata contain contradictory statements about required binaries and implemented security features — proceed with caution and audit the npm package before installing.
- Guidance
- Do not install blindly. Because this skill only provides instructions to install an external npm package (which will execute third-party code and can scan your filesystem), audit the package before installing: use npm pack to inspect its contents, check package.json for postinstall scripts and the exact published version, review the repository at the verified commit referenced in the SKILL.md (confirm which commit is authoritative), and run the CLI in an isolated VM or container with network disabled first. Never enable AUTO-TRIGGER or run broad collection commands (e.g., collect --source ~/) until you confirm the installed version actually implements the path protections, confirmation prompts, and privacy filter it claims. If you lack the ability to fully audit, prefer not to install globally; instead run in a throwaway VM or avoid enabling autonomous agent invocation.
- Findings
[none_detected] expected: No regex-based findings because the skill bundle contains only documentation and no code files. Absence of findings is not proof of safety — the SKILL.md instructs installing an external npm package which was not analyzed here.
Review Dimensions
- Purpose & Capability
- noteThe stated purpose (local conversation-memory storage) reasonably requires a CLI/runtime (Node/npm) and local storage under ~/.memory-os. However the registry metadata above lists no required binaries while SKILL.md explicitly requires Node.js >=18 and npm and a global npm install; this mismatch is incoherent and should be clarified.
- Instruction Scope
- concernSKILL.md instructs installing an external npm package and running a CLI that can scan arbitrary filesystem paths and create ~/.memory-os/. That capability is consistent with the skill's goal but the documentation contains conflicting claims about privacy protections: SKILL.md claims confirmation prompts, privacy filter, and path protection in v0.3.0, while the included readme documents older behavior (v0.2.2) where auto-trigger saved immediately and the privacy filter was not integrated. If you install the package version that lacks these safeguards, the CLI could collect sensitive files. The skill also includes keywords for auto-triggering saves — enabling that autonomously would broaden its access to the user's conversation/content.
- Install Mechanism
- noteThere is no embedded code in the skill bundle; SKILL.md directs a global npm install (npmjs.com). Installing an npm package globally is a common delivery method but executes third-party code and modifies system PATH (moderate risk). The install guidance even explicitly warns about code execution and recommends inspecting the package first, which is good practice.
- Credentials
- okThe skill does not request environment variables, credentials, or config paths beyond suggesting it will create and use ~/.memory-os/. No extraneous secrets are requested in the metadata. That is proportionate to a local-memory tool, but because the CLI can scan user directories, filesystem access is the primary sensitive capability.
- Persistence & Privilege
- notealways:false and no special platform privileges are requested. The only persistent effect is installing a global CLI binary and creating ~/.memory-os/. This is expected for a CLI tool, but combined with autonomous invocation (platform default) and the ability to enable AUTO-TRIGGER, it could lead to repeated/automatic collection if the installed package implements that feature without safeguards.