Claw Brain - Personal AI Memory System for OpenClaw/ClawDBot. Provides memory, personality, bonding, and learning capabilities with encrypted secrets support. Auto-refreshes on service restart.
Security Analysis
medium confidenceThe ClawBrain skill's code, hooks, and runtime instructions are broadly coherent with a personal agent memory system; nothing in the bundle points to clear misdirection or unrelated credential access, but there are several user-impacting behaviors (auto-migration of secrets, filesystem probing hooks, installer scripts) you should review before installing.
The files, hooks, bridge, CLI, and environment variables described are consistent with a memory system that supports multiple storage backends and encrypted secrets. Environment variables listed in SKILL.md (BRAIN_ENCRYPTION_KEY, POSTGRES/REDIS settings, etc.) align with the documented storage and encryption features. The package contains the expected runtime bridge, CLI and hook code for integrating with ClawDBot/OpenClaw.
The runtime instructions and hooks do what you'd expect for a memory skill (refresh on startup, save session on /new, run a python bridge). However, the startup hook and handler probe many filesystem locations (home dirs, site-packages, system paths) to locate the bridge script and will invoke python3 to import the package. Also, the project documents an automatic migration that will encrypt existing unencrypted secrets on initialization if a key is generated — this is functionally coherent but has operational impact (it may modify your DB on first run). These behaviors are reasonable for the stated purpose but worth conscious review and consent prior to first run.
There is no centralized install spec in the registry metadata (skill is instruction-only) but the bundle includes install.sh and remote-install.sh, and a pip installation / PyPI workflow is documented. The changelog indicates the project previously offered curl|bash and now recommends git clone or pip; remote-install.sh reportedly has interactive confirmation. Presence of an included remote-install script and installer means you should inspect those scripts before executing them, but the provided artifacts otherwise use common package/install patterns (pip, git) rather than arbitrary downloads.
Requested and documented environment variables (BRAIN_ENCRYPTION_KEY, BRAIN_POSTGRES_*, BRAIN_REDIS_*, etc.) are directly relevant to the skill's storage and encryption functionality. The skill does not request unrelated cloud/provider credentials or other service tokens in the metadata. The number of env vars is appropriate for a storage-backed memory system.
The skill is not marked always:true and is user-invocable (normal defaults). It installs a startup hook that will run on gateway startup (expected for an agent memory feature). The combination of autonomous invocation (hooks + bridge) plus automatic migration/encryption on initialization increases the operational impact (it can modify the local DB and create key files); this is expected for the feature but you should understand and authorize it before enabling.
Guidance
This skill appears to be what it says: a local agent memory system with optional encryption. Before installing: 1) Inspect install.sh and remote-install.sh — do not run curl|bash from an unknown URL; prefer pip install or cloning the repo and running the installer manually. 2) Set a BRAIN_ENCRYPTION_KEY yourself (via env or config file) if you want deterministic key ownership instead of having the skill auto-generate one. 3) Be aware that on first initialization the skill can auto-migrate and encrypt existing secrets in the DB; back up your database and keys first. 4) Review the hook (handler.js) and bridge (brain_bridge.py) code — they probe common user and system paths to locate and run the package; this is necessary for integration but means the hook will access the filesystem to find installed artifacts. 5) Avoid running migration utilities (scripts/migrate_agent_id.py) or other provided scripts unless you understand and have backups — they perform direct DB operations. If you trust the source (official repository or PyPI package from a known maintainer), these behaviors are reasonable; if you cannot verify the origin, exercise caution and audit the code or run it in an isolated environment first.
Latest Release
v0.1.10
ClawBrain 0.1.7 introduces major improvements, CLI tools, encryption, and testing: - Added encryption support for secrets (API keys, credentials) with key management CLI and auto key generation. - Introduced new CLI commands (`clawbrain setup`, `generate-key`, `show-key`, `backup-key`, etc.) for setup, key handling, and diagnostics. - Added GitHub CI workflows for automated testing and publishing. - Added integration, unit, and container tests under the new `tests/` directory. - Implemented agent ID migration and bridge scripts for smoother upgrades. - Removed legacy `clawbrain.py` in favor of a modular and more maintainable structure.
More by @clawcolab
Published by @clawcolab on ClawHub
