v1.0.0

Xiaopi Self Improving

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:37 AM.

Analysis

The skill does not show hidden exfiltration, but it creates automatic long-term memories that can affect future behavior across projects and even suggests automatic privileged commands, so it needs careful review.

GuidanceInstall only if you intentionally want a persistent memory layer. Before using it, disable automatic sudo/global-install behavior, require confirmation before writing to AGENTS.md, MEMORY.md, .learnings, or git, review stored memories regularly, and avoid logging commands or errors that contain secrets.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

3. 自动改用: `sudo npm install -g xxx` 或本地安装

The workflow encourages an automatic fallback to a privileged global install after a command failure, without stating that the user must approve the sudo action first.

User impactThe agent could make system-wide changes or install packages with elevated privileges when a safer local fix or user approval should be required.

RecommendationNever auto-run sudo or global install commands; require explicit user approval and prefer local, reversible installation paths.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

- 记忆文件定期备份到git; - 敏感信息脱敏后记录

The skill presents redaction as a safeguard while also recommending git backups, but the included logging helpers persist supplied command, error, correction, and practice text directly to JSONL with no visible redaction or backup controls.

User impactUsers may assume sensitive details are automatically protected, while secrets in commands or error output could be stored and later committed to git.

RecommendationRemove or qualify the redaction claim unless redaction is implemented; exclude memory files from git by default or require manual review before committing them.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

_meta.json

"ownerId": "kn71wwsjb8n1sx6wfhe8am3hms826n8y", "slug": "self-improving-agent-cn"

The embedded package metadata does not match the registry metadata shown for this review, which lists a different owner ID and slug. This is not malicious by itself, but it is a provenance inconsistency.

User impactIt may be harder to confirm which publisher or package identity should be trusted.

RecommendationVerify the publisher, slug, and installed path before enabling a persistent memory skill.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

SKILL.md

重要记忆自动同步到：~/.openclaw/memory/self-improving/ (全局), 当前项目 .learnings/, AGENTS.md, MEMORY.md

The skill directs memories into global and project-level stores, including files that can influence future agent behavior. The artifacts do not define approval, scoping, review, retention, or trust boundaries for those persistent entries.

User impactA mistaken or maliciously influenced memory could persist across sessions or projects and change how the agent behaves later.

RecommendationRequire explicit confirmation before writing memory, especially to AGENTS.md or MEMORY.md; keep project memories separate; review diffs; and provide an easy way to inspect, edit, and delete stored memories.