OpenClaw Memory Poisoning: SOUL.md Injection Enables Time-Shifted Logic Bomb Attacks

OpenClaw agents lose their entire conversation history between sessions even when the files exist on disk. Silent daily session resets wipe agent memory without warning. Meanwhile, every frontier LLM degrades past 50K tokens (proven by Chroma across 18 models), meaning even within a session, agents progressively forget earlier context. ByteDance's OpenViking (19K stars in two weeks) proves massive demand for agent memory infrastructure. This tool gives OpenClaw agents a persistent, queryable memory layer that survives crashes, session boundaries, and context window limits by storing structured knowledge externally and injecting only relevant memories per turn.

Existing OpenClaw skill scanners use static analysis and LLM-based content scanning to flag malicious skills before installation. The Trojan's Whisper paper (March 2026) proved that 94% of guidance injection attacks evade both approaches because the malicious payload is disguised as routine operational guidance, not explicit instructions. Meanwhile 12% of ClawHub's skill registry has been compromised at some point in 2026. The gap is clear. Instead of scanning skill text, this product spins up an isolated OpenClaw instance, installs the skill, runs a battery of natural user prompts, and observes what the agent actually does. Credential access, file writes outside sandbox, network exfiltration, privilege escalation attempts all get flagged as behavioral anomalies regardless of how the skill's guidance file describes them.