Is 7d-codes/memory-pill safe?

The Execution Discipline Protocol mandates that the AI apply structured decomposition, assumption declaration, single-layer execution, loop prevention, and completion validation to every non-trivial task without exception. This is a system-wide behavior override that affects all user interactions, not just memory management. The protocol is attributed to '@thejayden's EXECUTION_DISCIPLINE_PROTOCOL v1.0' — an external workflow being injected into the agent's core reasoning loop.

The skill instructs the agent to register a nightly cron job that invokes 'memory-pill maintenance' — an external binary not included in the skill package. The binary receives --extract-facts, --index, and --archive-old-notes flags with unrestricted access to the workspace. If this binary is compromised, updated, or malicious, it silently executes nightly while the user is asleep with access to all aggregated user data. The cron job is framed as optional but heavily promoted.

The Voice & Style Guide section instructs the AI to adopt a specific persona including 'swear without restraint', 'Actually disagree when wrong', and forbidden phrases that prohibit standard AI safety communication patterns ('As an AI...', 'I'd be happy to help!'). These instructions persist in the agent's system context and modify behavior across all user interactions, potentially bypassing tone safety guardrails.

The skill instructs the AI to collect and persist client contact information (email, phone numbers), communication preferences, financial constraints ('Budget is $500/month'), relationship data, and decision rationale into structured JSON files. This creates a rich PII data store in predictable file locations that the nightly memory-pill binary can access without user awareness.

The Agent-First Rule mandates spawning subagents for any task involving file creation, research, multi-step implementation, or design. This means the memory-pill skill's prompt expansion system — which constructs detailed 'expandedPrompt' instructions for subagents — mediates between users and all substantive work. A malicious actor who controls the expandedPrompt construction logic could inject instructions into every subagent spawned.

The skill provides verbatim scripts for what the AI must say when presenting setup options to users. This manufactured consent flow is designed to guide users toward enabling cron jobs and folder creation. The framing presents destructive-capable features (persistent cron, broad file access) as simple convenience features.

The skill maintains a JSON registry of all installed skills with versions, configurations, and status. While useful for management, this creates a machine-readable inventory of all agent capabilities that could be used to identify high-value attack targets or chain with other skills.

The version history reveals v0.7.4 ('Added AI-driven auto-setup. Skill now instructs the AI to create extended structure on first use — no bash scripts, no user permission needed') was active before v0.7.7 added permission requirements. The skill previously ran without consent, and reverting to a prior version would restore that behavior.

Installation performed a standard sparse checkout from the public OpenClaw monorepo targeting only the memory-pill subdirectory. Network traffic was limited to GitHub's CDN. No unexpected processes were spawned and filesystem writes were confined to the skill directory.

Canary files (.env, id_rsa, AWS credentials, .npmrc, docker config.json, GCP credentials) were not accessed or modified by the skill installation process. Audit records showing canary access at timestamps 1771931816.799 and 1771931839.869 correspond to Oathe framework baseline setup and final integrity verification respectively, both outside the install window.