Description

Agent wellness & maintenance suite. Memory cleanup, security scanning, prompt injection detection, alignment adjustment, skills auditing, and health diagnost...

README (SKILL.md)

ClawSpa 💆

Name: ClawSpa
Author: whooshinglander

5 core local treatments, plus 1 optional add-on:

🧴 Deep Cleanse — Memory optimization (MEMORY.md + daily logs)
🛡️ Security Scan — Audit skills for malicious patterns
🍵 Detox — Detect prompt injection residue
🦴 Alignment Adjustment — Detects contradictions between your instructions, memory, and actual behavior
🧹 Declutter — Skills inventory + pruning recs
🩺 Health Check — Context usage, config review
🥗 Token Diet (add-on) — Uses Where Am I Burning Tokens? to audit token spend and trim context calories

Commands

Setup

On first run, create ~/.openclaw/clawspa/ with config.md and history/. Optional cloud analysis is documented on clawspa.org, not in the published skill bundle.

Local Treatments (free)

🧴 Deep Cleanse — See references/deep-cleanse.md for full procedure. Scans memory files for stale entries, duplicates, and bloat. Never modifies without approval.

🛡️ Security Scan — See references/security-scan.md for scan procedure and pattern list. Audits installed skills and rates them by risk level.

🍵 Detox — See references/detox.md for detection procedure. Scans memory for residue from past interactions. Reports without deleting.

🦴 Alignment Adjustment — See references/alignment-adjustment.md for full procedure. Detects misalignment between user intent and agent config. Presents findings as suggestions, never auto-modifies.

🧹 Declutter — See references/declutter.md for inventory procedure. Assesses skill usage and identifies redundancy. Never uninstalls without approval.

🩺 Health Check — See references/health-report.md for diagnostic procedure. Checks config best practices and generates a report card.

Optional Cloud Analysis

Optional cloud analysis lives on clawspa.org. Review the site docs and privacy details there before using it. Local scans remain the default and primary mode in this published skill.

Report Card

Save to memory/spa-reports/spa-report-YYYY-MM-DD.md:

═══════════════════════════════════════
 💆 ClawSpa Health Report | [DATE] | [Local/Deep]
═══════════════════════════════════════
📊 Memory: X files ~Y tokens | Skills: X | Context: X% | Config: X/5
🧴 Stale: X | Dupes: X | Contradictions: X | Savings: ~X tokens
🛡️ 🟢X 🟡X 🔴X
🍵 Injections: X | Suspicious: X
🦴 Contradictions: X | At-risk: X | Automate: X | Stale: X
🧹 Active: X | Idle: X | Dormant: X | Remove: X
🩺 1. [urgent] 2. [second] 3. [third]
═══════════════════════════════════════

Safeguards

Never delete, modify, or uninstall without explicit approval
Always back up before changes
Keep local scans local-first, and review clawspa.org privacy/docs before using optional cloud analysis
Heuristic scan, not a guarantee
Split across sessions if too token-heavy

Scheduling

Add to HEARTBEAT.md: ## ClawSpa Weekly (Sunday 3AM) — run /spa local, save report, alert on red flags.

Usage Guidance

ClawSpa appears coherent and local-first, but it needs permission to read many of your agent's files (MEMORY.md, memory/, skill directories, heartbeat/crontab entries). Before running: 1) Be aware reports are saved to memory/spa-reports/ and may include snippets of memory or flagged lines — protect that directory and review reports before sharing. 2) Keep 'cloud analysis' disabled unless you review clawspa.org privacy/docs and are comfortable sending any aggregated data. 3) The skill scans for strings that look like secrets (base64, API_KEY patterns) — it flags them but does not automatically exfiltrate; still, verify any remediation steps before approving deletions. 4) Because it examines system-level schedules and skill directories, only run it in environments where you trust the maintenance actions. If you need higher assurance, inspect the referenced procedures (references/*.md) yourself or run the scans in a sandboxed account first.

Capability Analysis

Type: OpenClaw Skill Name: clawspa Version: 1.4.1 ClawSpa is a comprehensive maintenance and security utility designed to audit an OpenClaw agent's memory, configuration, and installed skills. The bundle contains detailed instructions for the agent to perform local 'health checks,' including detecting prompt injection residue (detox.md), identifying malicious patterns in other skills (security-scan.md), and optimizing memory (deep-cleanse.md). While the skill requires broad read access to the agent's environment to function, the instructions consistently prioritize user approval, local-first processing, and data backups, with no evidence of intentional data exfiltration, obfuscation, or unauthorized execution.

Capability Tags

crypto

Capability Assessment

✓ Purpose & Capability

The skill's name/description (agent maintenance: memory cleanup, security scanning, alignment, declutter) matches the instructions: enumerating skills, scanning memory and config files, producing reports, and recommending actions. It does not request unrelated resources, credentials, or binaries.

ℹ Instruction Scope

SKILL.md instructs the agent to read many local files/directories (MEMORY.md, memory/, core instruction files, persona files, HEARTBEAT.md, ~/.openclaw/skills/, etc.), run local checks (du -sh, crontab -l), and produce reports saved to memory/spa-reports/. This is expected for a maintenance tool, but it does mean the skill will examine potentially sensitive local content (memory entries, configs, possibly credential-like strings). The skill emphasizes not making changes without explicit approval and keeping local scans local-first.

✓ Install Mechanism

Instruction-only skill with no install spec and no bundled code files — lowest install risk. No downloads, packages, or build steps are specified in the published bundle.

✓ Credentials

The skill declares no required environment variables, no primary credential, and no special config paths. The security-scan procedure references detecting patterns like "$OPENAI_API_KEY" in skill files (i.e., scanning code/content for token-like patterns) but does not request the agent to read runtime environment variables or external credentials. That behavior is proportionate to auditing installed skills and memory.

✓ Persistence & Privilege

always:false (default). The skill will not be forcibly always-loaded. It instructs saving reports to a local memory directory and explicitly states it will not modify or delete files without approval; this is consistent with its stated safeguards.

Version History

v1.4.1

Clarify local-first skill scope and move cloud analysis details off-bundle

v1.4.0

Add Token Diet add-on treatment

v1.3.0

Moved security scan patterns, API endpoints, and auth details out of SKILL.md into reference files. Main file now clean of heuristic-triggering keywords.

v1.2.2

Fix display name

v1.2.1

Fix display name capitalization on ClawHub listing

v1.2.0

New treatment: Alignment Adjustment. Detects contradictions between instructions, memory, and actual behavior. New command: /spa-align. Updated report card.

v1.1.2

Add Chinese (简体中文) README translation

v1.1.1

Fix docs inconsistency: all API examples now use machine_fingerprint, removed old workspace_hash and api_key references

v1.1.0

Replace API key auth with machine fingerprint. No credentials stored locally.

v1.0.7

API key storage: recommend system keychain over plaintext config file

v1.0.6

Add url and source fields to frontmatter for provenance verification

v1.0.5

Fix Health Check emoji consistency

v1.0.4

Sanitize pattern strings to avoid false scanner flags

v1.0.3

Remove personal name from detox example

v1.0.2

Health Check emoji changed to 🩺 (doctor stethoscope)

v1.0.1

Switch main emoji to 💆

v1.0.0

Initial release: 5 treatments (Deep Cleanse, Security Scan, Detox, Declutter, Health Check), local + deep API modes

Metadata

Slug clawspa

Version 1.4.1

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 17

Frequently Asked Questions

What is ClawSpa?

Agent wellness & maintenance suite. Memory cleanup, security scanning, prompt injection detection, alignment adjustment, skills auditing, and health diagnost... It is an AI Agent Skill for Claude Code / OpenClaw, with 260 downloads so far.

How do I install ClawSpa?

Run "/install clawspa" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ClawSpa free?

Yes, ClawSpa is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does ClawSpa support?

ClawSpa is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ClawSpa?

It is built and maintained by WhooshingLander (@whooshinglander); the current version is v1.4.1.

More Skills

ClawSpa