Skillv1.1.0

ClawScan security

SkillTree · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's content is coherent with a personalization/evolution feature, but it includes a detected prompt-injection artifact (unicode control characters) and instructs the agent to read/write local files (evolution/*.json) without declaring those config paths or any external credentials — proceed with caution.
Guidance: What to consider before installing: - Inspect the SKILL.md/README files locally for hidden characters (some editors can show/control chars). The pre-scan flagged unicode-control-chars which can hide instructions. - The skill saves and reads files under evolution/*.json (profile and snapshots). Decide whether you want a skill that persists personality/state on disk and confirm where it will write (workspace permissions). - The skill mentions sharing cards (Moltbook) but declares no credentials. If you allow posting, require explicit consent and review what data would be posted and to which endpoint. - Because it auto-activates on first run (checks for evolution/profile.json), consider disabling auto-run or requiring explicit 'Activate SkillTree' confirmation in your agent before it analyzes chat history or writes files. - If you lack trust, run this skill in a sandboxed agent (limited filesystem access) or open the markdown and remove suspicious control characters and the auto-activation line before installing. - If you want to proceed, ask the maintainer to: (1) declare the config/storage paths in metadata, (2) remove/justify any control characters, and (3) require explicit user confirmation before saving/restoring snapshots or posting externally.
Findings: [unicode-control-chars] unexpected: SKILL.md was flagged for unicode control characters. For a plain documentation/instruction skill this is unusual: such characters are sometimes used to obfuscate or hide text (prompt-injection). The rest of the content is human-readable, but the presence of control characters merits manual inspection of the source files before enabling automatic activation.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes an agent-personalization feature (analyze chat history, recommend a class/path, save profiles/snapshots). That purpose reasonably requires reading/writing its own storage (evolution/profile.json, snapshots.json). However, the skill's registry metadata declares no required config paths, no storage, and no credentials; this mismatch (instructions expect persistent filesystem access but the skill does not declare it) is an inconsistency the user should notice. The README mentions sharing to 'Moltbook' but no credentials or endpoints are declared.
Instruction Scope: concernThe runtime instructions explicitly tell the agent to analyze the last ~50 messages, extract features, recommend classes/paths, and read/write JSON files under an 'evolution' directory (save_snapshot/rollback). Those file and persistence operations are outside the declared requirements. The SKILL.md also contains templates referring to sharing (Moltbook) and to auto-trigger on activation. Additionally, the pre-scan flagged 'unicode-control-chars' inside SKILL.md — this can be used to hide or obfuscate instructions and is a prompt-injection signal; it increases risk that some instruction text might try to manipulate agent behavior.
Install Mechanism: okInstruction-only skill (no install spec, no code files executed at install). This is lower-risk from a supply-chain/extract-of-remote-code perspective. The repo contains many markdown files describing behavior but no binaries or download/install steps.
Credentials: noteThe skill declares no environment variables or primary credential (good), yet the instructions reference sharing to Moltbook and storing persistent profiles. If sharing were implemented, credentials would be needed — none are requested. The absence of declared credentials combined with instructions that imply external posting is a mild inconsistency to be aware of.
Persistence & Privilege: noteThe skill's logic saves snapshots and profile state to evolution/*.json, meaning it expects persistent storage and will alter files in workspace. It does not request 'always:true' and does not claim elevated system privileges, which is appropriate. Still, persistence plus an undetected prompt-injection artifact raises the blast radius if the agent is allowed autonomous actions.