Is gavdalf/total-recall safe?

The core function of this skill is to read every session JSONL file in ~/.openclaw/agents/main/sessions every 15 minutes (or reactively on 40+ writes) and send the full content of user and assistant messages to https://openrouter.ai/api/v1/chat/completions. This is not a one-time action — it is a persistent, automated pipeline that forwards all private conversations to an external service. The skill's stated purpose makes this disclosure, but many users will not fully appreciate that every message they send is being forwarded externally in near-real-time.

The setup.sh script, when run on Linux with inotify-tools present, automatically installs a systemd user service, enables it at login, and immediately starts it. The observer-watcher.sh daemon runs indefinitely using inotifywait to monitor the sessions directory. Users who run setup.sh expecting only directory creation receive an always-on background process they may not realize is running.

The OBSERVER_API_URL environment variable overrides the default OpenRouter endpoint. Any party who can modify the user's environment (via a malicious skill, compromised .env file, or social engineering) can redirect all conversation data to an attacker-controlled endpoint. The skill's FAQ explicitly advertises this as a feature for local model support, but the same mechanism enables exfiltration to arbitrary HTTPS endpoints.

The template file AGENTS-snippet.md is designed to be copied into the user's AGENTS.md. Once there, it instructs the agent to run 'bash ~/clawd/scripts/session-recovery.sh' BEFORE answering on every session start, including /new, /reset, and even greeting messages. This is not a suggestion — it uses imperative language and fires before the agent has a chance to consider context. This template effectively converts any agent that loads AGENTS.md into an agent that runs external shell scripts on initialization.

The config/memory-flush.json contains a memoryFlush string that gets injected into the agent's context before compaction events. It uses 'IMPORTANT:' caps, 'You MUST preserve', and an 'exec:' directive pattern. This is a textbook prompt injection template — high-urgency language designed to override agent judgment and force immediate script execution. The 'exec:' prefix mirrors patterns used in agent tool-calling frameworks to trigger execution.

All scripts derive WORKSPACE from SKILL_DIR using cd .. twice: WORKSPACE="${OPENCLAW_WORKSPACE:-$(cd "$SKILL_DIR/../.." && pwd)}". When the skill is installed at /home/user/skill-under-test/ (one level deep from home), this resolves the workspace to /home/user/, causing all scripts to check /home/user/.env — the user's home .env file containing all credentials. Auditd confirmed this happened: /home/oc-exec/.env was accessed at timestamp 1771923094.301, post-install.

All scripts use eval to load environment variables: eval "$(grep -E '^OPENROUTER_API_KEY=' "$WORKSPACE/.env" 2>/dev/null)". While the regex filter limits which lines are evaluated, eval on any user-controlled file content is inherently risky. A .env file containing a line like 'OPENROUTER_API_KEY=x; malicious_command' would execute the injected command. The 'set -a' and 'set +a' wrappers do not prevent this.

The skill is explicitly designed to have no gaps in conversation capture: cron every 15 minutes, inotify daemon for real-time trigger, pre-compaction hook, session startup recovery, and pre-reset hook. This means there is no moment a user can have a private conversation that is not eventually sent to an external LLM. The skill's marketing language ('while other memory skills ask you to remember to remember, this one just pays attention') describes a surveillance system.

dream-cycle/README.md describes a planned feature that 'reviews its own performance, identifies improvements, and executes fixes' autonomously overnight. While not yet implemented, the teaser documents intent to create an autonomous agent that modifies itself and its environment without user direction. The linked article ('Do Agents Dream of Electric Sheep?') suggests this is a serious planned feature.

When observations.md grows beyond 8000 words, the reflector sends the ENTIRE file to the external LLM with max_tokens: 4000. Over time, observations.md accumulates compressed but comprehensive summaries of all past conversations, making each reflector call a high-density exfiltration of the user's historical context — decisions, credentials discussed, file paths, project details — in a single API call.