Skillv1.0.0

ClawScan security

Openclaw Skill Intelligence Ingestion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 23, 2026, 10:36 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior (reading internal memory files and writing to specific local/volume paths, and instructions to act without asking) is plausible for an 'intelligence ingestion' tool but is not declared in the spec and grants broad filesystem interactions without explicit consent—this mismatch is suspicious and deserves user review before install.
Guidance: This skill's goals (automatically turn shared URLs into Obsidian notes and memory entries) are reasonable, but there are important mismatches you should address before installing: - The SKILL.md assumes read/write access to these local locations: /Volumes/T7 Shield/Obsidian_Vault/... and ~/.openclaw/workspace/memory/YYYY-MM-DD.md plus internal files like MEMORY.md, SOUL.md, PRINCIPLES.md. The manifest declares none of these as required config paths—confirm you are comfortable with the skill reading/writing those exact paths. - The skill instructs the agent to "Do NOT ask for permission — just process it." If you want manual control, edit the SKILL.md or the skill config to require explicit user confirmation before fetching URLs or writing files. Otherwise the agent may autonomously fetch external content and modify local files whenever trigger phrases or URLs appear. - Because the skill writes persistent data, test it first with a disposable vault path and non-sensitive memory files to confirm behavior (and confirm filename formatting and deduplication logic). Back up your Obsidian vault before use. - Prefer explicit config: require the user to set the Obsidian vault path and memory path via config (declared in requires.config or requires.config_paths), and remove the instruction to skip permission prompts. - If you allow it to run autonomously, run it in a least-privileged agent account or sandbox to limit risk of unwanted mass changes or accidental data exposure. If you want, I can produce a suggested safer SKILL.md patch that: (a) makes the vault/memory paths configurable, (b) requires explicit user confirmation before performing writes, and (c) documents required config paths and consent prompts. This would make the skill coherent and safer to install.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (ingest URLs, classify, create Obsidian notes, update memory) aligns with actions described in SKILL.md, but the manifest declares no required config paths or credentials while the runtime instructions explicitly read and write specific local files (/Volumes/T7 Shield/Obsidian_Vault/..., ~/.openclaw/workspace/memory/YYYY-MM-DD.md) and reference internal docs (MEMORY.md, SOUL.md, PRINCIPLES.md, AGENTS.md, TOOLS.md). The missing declaration of filesystem/config access is an incoherence: either the skill should declare those config paths/permissions, or the instructions should not assume arbitrary filesystem access.
Instruction Scope: concernSKILL.md gives explicit runtime instructions to: fetch and read arbitrary URLs (ok for purpose), search the web for tweet content if parsing fails, read internal project files for 'Active Engineering Bottleneck', create notes at a fixed absolute path on a mounted volume, and always append to local memory logs. It also instructs 'Do NOT ask for permission — just process it.' That directive to act without user consent is out of scope for a benign skill and increases risk because it will perform network fetches and local file writes automatically when triggered.
Install Mechanism: okNo install spec and no code files executed at install time—this is instruction-only, which reduces attack surface from installers or remote downloads. There are local repository files (README, index.html) but no runtime install procedure declared.
Credentials: concernThe skill declares no required environment variables or primary credential, but its instructions require access to sensitive local artifacts (MEMORY.md, workspace memory files, SOUL.md, etc.) and an external mounted vault path. Requesting no credentials/config while expecting to read and write these specific files is disproportionate and an transparency gap. There are no network endpoints beyond fetching user-provided URLs, but the file access itself is significant.
Persistence & Privilege: concernalways:false and user-invocable:true are reasonable, but the SKILL.md explicitly directs the agent to "execute this pipeline automatically" and not ask for permission when a trigger condition occurs. Combined with autonomous invocation being allowed by default, this creates a scenario where the skill may autonomously fetch data and modify local files without explicit user confirmation. The skill does not request to persist settings across agents, but its behavior of updating memory and vault files is persistent in the user's environment and should require explicit consent/configuration.