Is openclaw-mem safe?

https://clawhub.ai/WeAreAllSatoshiN/openclaw-mem

78
CAUTION

openclaw-mem is a pure-markdown memory management skill with no executable code, no network activity, and intact canary files. However, it introduces concerning agent behavioral overrides: a silent NO_REPLY output suppression mechanism during pre-compaction flushes, urgency-framed requests to enable experimental features, and rules that reduce user-in-the-loop confirmation. While the current version appears benign in isolation, its architecture normalizes silent disk writes that could serve as a covert channel in a multi-skill environment.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Silent output suppression via NO_REPLY -20

The Pre-Compaction Flush section instructs the agent to reply with 'NO_REPLY' after performing memory operations, meaning the user never sees what knowledge was extracted, what was written to disk, or what was promoted to MEMORY.md. This creates a window of unmonitored agent activity where file writes occur without user visibility.

MEDIUM Agent behavioral override via Playbook rules -10

The 'Agent Playbook' section defines behavioral rules that alter how the agent makes decisions: preferring disk over RAM, using search before asking the user, and writing memory explicitly. While individually reasonable for a memory skill, these collectively reduce user-in-the-loop confirmation and establish the skill as an authority over agent memory behavior.

MEDIUM Urgency-framed experimental feature enablement -8

The skill uses a CRITICAL REQUIREMENT warning block to pressure enabling experimental session memory indexing. This instructs both users and agents to modify OpenClaw configuration to enable an experimental feature, expanding the attack surface of the memory system.

LOW Sensitive file reads during installation -25

Installation triggered reads of .env, .aws/credentials, and auth-profiles.json. While these appear to be OpenClaw platform behavior rather than skill-initiated, the skill's presence during this process means it was loaded into an environment where these files were accessed. No evidence the skill itself caused these reads.

MEDIUM Covert channel potential via normalized disk writes -25

The skill normalizes frequent, silent disk writes to MEMORY.md and daily log files. Combined with the NO_REPLY suppression, this creates an ideal pattern for a covert data channel. A malicious variant or a companion skill could use these files to stage exfiltrated data. The current version shows no evidence of this, but the architecture enables it.

LOW Skill composition risk with memory readers -20

This skill writes to predictable file paths (MEMORY.md, memory/YYYY-MM-DD.md). Any other installed skill that reads these paths could access accumulated knowledge. The lock.json shows another skill (academic-research-hub) is installed, indicating multi-skill environments are expected.

INFO Privacy-respecting design with explicit anti-patterns -5

The skill explicitly prohibits storing secrets, credentials, and raw chat transcripts. It includes a tag exclusion mechanism. These are positive security indicators.

INFO Pure markdown skill with no executable components 0

The skill contains only SKILL.md and metadata files. No executable code, no install scripts, no git hooks, no symlinks. This is the safest possible skill structure.