Skillv1.1.7

ClawScan security

brain 大脑 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 25, 2026, 10:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions largely match the described 'agent memory/decision' purpose, but there are mismatches and a few risky behaviors (undocumented CLI dependency, arbitrary shell exec wrapper, and automatic reading/writing of your workspace memory files) that you should review before installing.
Guidance: This skill implements a local 'brain' using scripts that read and write files in ~/.openclaw/workspace and that can spawn subagents via the openclaw CLI. Before installing: - Inspect the scripts yourself (they are plain JS / shell) and confirm you are comfortable with them reading SNAPSHOT.md and 工作缓冲区.md and writing logs/capsules under your HOME directory. - Note the packaging omission: the skill did not declare required binaries. Ensure you have Node.js and the 'openclaw' CLI available and understand what openclaw sessions_spawn will do in your environment. - Be cautious about sensitive data: don't store secrets or credentials in SNAPSHOT.md or the work buffer because their contents are programmatically injected into agent contexts. - The watchdog provides an 'exec' entrypoint and a general execWithRetry wrapper. Only run it with trusted commands and avoid passing untrusted input into shell execution paths. - Test in an isolated workspace (or backup current ~/.openclaw/workspace) before copying scripts into production. If you need stricter control, remove or sandbox the parts that spawn subagents or execute shell commands. If you want, I can: (a) list the exact lines that call external commands and file paths, (b) suggest a safer minimal configuration that disables exec entrypoints, or (c) produce a checklist for a secure manual install.
Findings: [child_process.execSync] expected: subagent-watchdog uses execSync to run arbitrary commands and to call 'openclaw sessions_spawn' to spawn subagents; spawning subagents is expected for a subagent orchestration tool, but execSync also enables running arbitrary shell commands when the 'exec' entrypoint is used. [fs.readFileSync_appendFileSync] expected: Multiple scripts read and write files under $HOME/.openclaw/workspace (SNAPSHOT.md, 工作缓冲区.md, logs, capsules). This is expected for a local memory system but means those files' contents will be programmatically accessed and mutated. [writes-to-/tmp] expected: The watchdog writes temporary JSON files to /tmp to spawn subagents; using /tmp is common but may leave artifacts if clean-up fails. [undocumented-dependency-openclaw-cli] unexpected: Scripts call the 'openclaw' CLI (sessions_spawn) but the skill metadata declared no required binaries; this is a documentation/packaging mismatch that can surprise users. [exec-wrapper] unexpected: execWithRetry exposes a general-purpose command execution wrapper (and is reachable via the CLI entrypoint). If you or an agent pass untrusted input into it, it could run arbitrary shell commands — an operational risk that requires careful use.

Review Dimensions

Purpose & Capability: noteThe scripts implement the described features (confidence scoring, checkpoints, 'capsules', semantic recall helper, watchdog and subagent routing). However the packaging declares no required binaries while several scripts expect a Node environment and the 'openclaw' CLI (sessions_spawn) to exist; that dependency is not declared in the skill metadata/instructions.
Instruction Scope: concernRuntime instructions (SKILL.md) tell you to copy scripts into your skills/workspace and to add SNAPSHOT.md and 工作缓冲区.md to bootstrapExtraFiles so their contents are injected into agent context. The scripts read and write files under $HOME/.openclaw/workspace (SNAPSHOT.md, 工作缓冲区.md, logs, capsules directory) and will publish assembled injection JSON to stdout. This legitimately supports the stated purpose, but it also means potentially sensitive workspace content will be programmatically read and included in agent contexts — and some wrappers allow execution of arbitrary shell commands when invoked.
Install Mechanism: okNo automated install spec — instruction-only plus scripts that you copy manually. This is lower install risk (nothing downloaded at runtime). The user is required to manually copy scripts into their environment, which gives them a chance to inspect files before use.
Credentials: noteNo environment variables or credentials are declared or requested, which aligns with a local, file-based memory system. However the code assumes process.env.HOME, a Node runtime, and an 'openclaw' CLI binary; those runtime dependencies are not listed. There are no network endpoints or secret-exfiltration hooks in the code, but the scripts will read whatever is in your workspace snapshot/buffer (which may contain secrets) and can write logs and capsule files to your HOME.
Persistence & Privilege: notealways:false (good). The skill writes and updates files under ~/.openclaw/workspace (buffers, snapshots, logs, capsule files) and instructs adding files to bootstrapExtraFiles so they become part of agent context — this is persistent and intended, but you should be aware it modifies your workspace files and will cause their contents to be injected into agent prompts.