ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Phoenix Loop

v1.0.0

Auto-diagnose agent failures, extract reusable recovery patterns, and create local skills to fix recurring blockers while keeping all data private and local.

0· 405·0 current·0 all-time
by@dalomeve
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description (auto-diagnose failures, extract patterns, create local skills) align with the actions the skill asks the agent to take: read local memory files, extract patterns, and write skill files to skills/local/. No unrelated credentials, binaries, or network endpoints are requested.
Instruction Scope
Instructions operate only on local paths (memory/, skills/local/, HEARTBEAT.md) and include explicit privacy checks. Minor issues: the runtime uses PowerShell commands (Get-Content, Select-String, Test-Path, Rename-Item) but the skill has no OS restriction — this could break on systems without PowerShell or lead to different behavior on Unix. There is a filename inconsistency in completion checks (examples use both skills/local/{name}-recovery.md and skills/local/{name}.md). The sensitive-data filter relies on simple pattern matching which could miss secrets encoded differently; the doc does not require aborting when secrets are found, only removing/matching.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer; all actions are local file reads/writes performed by the agent at runtime.
Credentials
The skill requests no environment variables, credentials, or external tokens. It references the OPENCLAW_ prefix in its sensitive-data filter (to avoid recording platform tokens) but does not require or attempt to read such environment variables; this is proportionate to its stated privacy goal.
Persistence & Privilege
The skill creates and updates files under skills/local/, which persist and can change the agent's future behavior (new recovery skills can be auto-invoked later). always:false (not force-included) mitigates some risk, but persistent creations mean you should review any generated local skill before allowing autonomous re-use. The skill's ability to write persistent executable artifacts is expected for its purpose but raises a usable-security consideration.
Assessment
This skill appears to do what it claims and keeps data local, but review these before installing: 1) Platform compatibility — the SKILL.md uses PowerShell commands; ensure your agent runtime supports PowerShell or adapt the commands. 2) Review and approve generated files — the skill will create/update files in skills/local/ that the agent can later run; you should inspect new recovery skills before trusting them for autonomous fixes. 3) Privacy filtering is regex-based and imperfect — run the provided privacy-checklist and consider stronger secret-detection if you have high-sensitivity data. 4) Filename/verification inconsistencies — the skill has a small mismatch in example filenames; test the workflow in a sandbox copy of your repository. 5) Back up skills/local/ and memory/ before first run, and consider restricting autonomous invocation or enabling a manual approval step for new skills until you are comfortable with the loop's behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emqx54y6nst8ncctbny1zth821c4b
405downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@dalomeve
latest
Download

Phoenix Loop

Rise from failures. Complete tasks persistently.

When the agent encounters blockers, failures, or repeated friction, this skill starts a self-healing loop: Diagnose -> Extract -> Crystallize -> Verify.

Core Mechanism

1. Diagnose

# Read recent blocked items
Get-Content memory/blocked-items.md | Select-String "Blocker" -Context 3

# Extract failure patterns
Get-Content memory/tasks.md | Select-String "Status: failed" -Context 5

Diagnosis Checklist:

  • Is the failure cause clearly stated?
  • Were at least 2 solution paths attempted?
  • Is minimum unblock input defined?

2. Extract

Extract reusable patterns from failures:

## Failure Pattern: {pattern_name}
- Trigger: {when_this_happens}
- Root Cause: {root_cause}
- Solution: {fix_steps}
- Verification: {verification_criteria}

3. Crystallize

Write the lesson to a local skill:

skills/local/{pattern_name}-recovery.md

Skill Template:

# {Pattern Name} Recovery

## Trigger
When {condition} happens

## Steps
1. {step_1}
2. {step_2}
3. {step_3}

## Verification
- [ ] {check_1}
- [ ] {check_2}

## Fallback
If failed, execute {fallback_action}

4. Verify

Next time a similar issue occurs:

  1. Search skills/local/ for matching skills
  2. Execute recovery steps
  3. Log result to memory/{date}.md
  4. Update skill if needed

Privacy Security

All data stored locally:

  • NO external logging of failure data
  • NO API keys or tokens in skill files
  • NO upload of user task content
  • Only pattern names and solution steps recorded
  • Skills stored in skills/local/ local directory

Sensitive Data Filter: Before writing to any memory or skill, check and remove:

  • apiKey, token, secret, password
  • Bearer , sk-, OPENCLAW_
  • Personal emails, phones, addresses

Executable Completion Criteria

A phoenix-loop task is complete if and only if:

CriteriaVerification Command
Failure pattern namedSelect-String "Failure Pattern" memory/blocked-items.md
Local skill createdTest-Path skills/local/{name}-recovery.md
Skill has trigger sectionSelect-String "## Trigger" skills/local/{name}.md
Skill has verification stepsSelect-String "## Verification" skills/local/{name}.md
Memory updatedSelect-String "phoenix-loop" memory/{today}.md
Privacy check passedSkill file contains no `apiKey

Usage Example

Scenario: Missing API Key Blocks Task

1. Diagnose:

Blocker: Missing Brave API key
Attempted: web_search (failed)
Unblock Input: User runs `openclaw configure --section web`

2. Extract Pattern:

Failure Pattern: missing-api-key
Trigger: Tool requires unconfigured API key
Solution: 1. Detect missing key 2. Return config command 3. Provide fallback

3. Crystallize Skill:

# Missing API Key Recovery

## Trigger
When tool returns "missing_*_api_key" error

## Steps
1. Extract required key name
2. Return config command: openclaw configure --section {section}
3. Provide manual fallback option

## Verification
- [ ] User receives clear config instructions
- [ ] At least 1 alternative provided

4. Verify: Next time an API key issue occurs, auto-apply this skill.

Heartbeat Integration

Add to HEARTBEAT.md:

## Self-Check (Every 24 Hours)
1. Check `memory/blocked-items.md` for blockers older than 24h
2. Run phoenix-loop diagnosis on each long-term blocker
3. If reusable pattern found, create or update skill

Rollback

If the skill causes issues:

# Disable skill (rename)
Rename-Item skills/local/{name}-recovery.md skills/local/{name}-recovery.md.disabled

# Delete skill
Remove-Item skills/local/{name}-recovery.md

References

  • memory/blocked-items.md - Blocker records
  • memory/tasks.md - Task history
  • skills/local/ - Local skill library

Rise stronger from every failure.

Comments

Loading comments...