memory-boost Security Report — Low Risk | ClawSafe

15 /100

memory-boost

Persistent task memory and keep-alive loop for OpenClaw agents. Every task gets durable notes. Arm the loop for long tasks, disarm when done. No external dependencies.

Memory Boost is a legitimate task-memory and keep-alive loop skill for OpenClaw. All behavior aligns with documentation; the install script performs standard file operations scoped to ~/.openclaw/. The pre-flagged 'rm -rf ~' is a documentation string in INSTALL.md's uninstall section, not executable code.

Skill Namememory-boost

Duration53.4s

Enginepi

✓

Safe to install

No blocking action needed. Consider adding an explicit allowed-tools declaration in SKILL.md frontmatter and narrowing the replayer prompt's 'one mechanical step' language to explicitly forbid shell invocation.

Findings 4 items

Severity	Finding	Location
Low	Missing allowed-tools declaration SKILL.md frontmatter has no 'allowed-tools' key. While this skill operates entirely through Markdown-prose prompts (no runtime code), a formal capability declaration would improve transparency and auditability. `--- name: memory-boost description: Persistent task memory... version: 1.0.0` → Add an allowed-tools declaration to the SKILL.md frontmatter matching the skill's actual capabilities: filesystem:WRITE (task notes), skill_invoke:READ (agent loop control).	`SKILL.md:1`
Low	Uninstall documentation uses destructive shell command INSTALL.md line 84 documents 'rm -rf ~/.openclaw/skills/memory-boost' as an uninstall step. While this is documentation (not executable code), using the bare 'rm -rf' pattern adjacent to '~' is risky if copied by a user or LLM. `rm -rf ~/.openclaw/skills/memory-boost` → Use 'rm -rf "$HOME/.openclaw/skills/memory-boost"' or 'rm -rf "${OPENCLAW_DIR:-$HOME/.openclaw}/skills/memory-boost"' to avoid accidental home-directory traversal.	`INSTALL.md:84`
Low	Broad 'one mechanical step' language in replayer The replayer prompt instructs the agent to 'take only one mechanical step' but does not explicitly forbid shell commands or multi-file operations. Given the replayer runs in an agent context, broad language could theoretically guide the agent to perform undesired actions. `Take only one mechanical step. If the step is ambiguous or requires judgment, update WATCHDOG.md with a clearer next action instead of guessing.` → Add explicit constraints: 'Perform only a single file write or small edit within ~/.openclaw/memory/. Do not run shell commands, install packages, or modify files outside this directory.'	`prompts/replayer-prompt.md:30`
Info	Cron jobs registered with OpenClaw The install.sh script registers 5 cron jobs (watchdog, replayer, escalator, validator, smoke-test) with the OpenClaw scheduler. These run autonomously and instruct the agent to read/write files in ~/.openclaw/memory/. This is expected behavior but creates persistent background agent activity. `openclaw cron add --name "boost-watchdog" ...` → Document the cron job activity in SKILL.md so operators are aware of the scheduled agent invocations.	`install.sh:109`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	SKILL.md describes persistent file creation/editing under ~/.openclaw/memory/
Shell	`NONE`	`NONE`	—	No shell execution declared or observed in prompts or scripts
Network	`NONE`	`NONE`	—	No network access declared or observed
Environment	`NONE`	`NONE`	—	No environment variable access declared or observed
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation declared or observed
Clipboard	`NONE`	`NONE`	—	No clipboard access declared or observed
Browser	`NONE`	`NONE`	—	No browser access declared or observed
Database	`NONE`	`NONE`	—	No database access declared or observed

1 Critical 2 findings

💀

Critical Dangerous Command 危险 Shell 命令

rm -rf ~

INSTALL.md:84

🔗

Medium External URL 外部 URL

https://clawhub.ai/techieter/memory-keep-alive-for-obsidian

README.md:98

File Tree

12 files · 27.5 KB · 819 lines

Markdown 11f · 616L Shell 1f · 203L

├─ ▾ 📁 examples

│ └─ 📝 TASK-INDEX.md Markdown 17L · 276 B

├─ ▾ 📁 prompts

│ ├─ 📝 escalator-prompt.md Markdown 40L · 1.9 KB

│ ├─ 📝 replayer-prompt.md Markdown 37L · 1.7 KB

│ ├─ 📝 smoke-test-prompt.md Markdown 30L · 1.3 KB

│ ├─ 📝 validator-prompt.md Markdown 21L · 1.3 KB

│ └─ 📝 watchdog-prompt.md Markdown 73L · 2.7 KB

├─ ▾ 📁 templates

│ ├─ 📝 LOOP-STATE.md Markdown 10L · 244 B

│ └─ 📝 TEMPLATE.md Markdown 56L · 1.2 KB

├─ 📝 INSTALL.md Markdown 92L · 2.9 KB

├─ 🔧 install.sh Shell 203L · 5.9 KB

├─ 📝 README.md Markdown 103L · 3.2 KB

└─ 📝 SKILL.md Markdown 137L · 4.8 KB

Security Positives

✓ No credential harvesting — no access to ~/.ssh, ~/.aws, .env, or environment variables for exfiltration

✓ No external network requests — no curl, wget, or IP connections observed in any script or prompt

✓ No base64/encoded payloads — no obfuscation detected

✓ No eval() or dynamic code execution — all code is explicit and readable

✓ Scoped file operations — all prompts explicitly constrain reads/writes to ~/.openclaw/memory/

✓ Loop-gate architecture — watchdog, replayer, and escalator respect the armed/disarmed state

✓ install.sh uses 'set -euo pipefail' for safe bash execution

✓ Python fallback in install.sh reads/writes only to the designated jobs.json file

✓ File copy operations in install.sh use absolute paths derived from OPENCLAW_DIR, preventing path traversal

Scan Report

Findings 4 items

File Tree

Security Positives