Skillv1.0.0

ClawScan security

Super Brain · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 5:00 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements what its description promises (local persistent memory and learning), but there are multiple inconsistencies and privacy/scope concerns (undeclared env usage, filesystem writes, schema/code mismatches) that you should review before installing.
Guidance: Plain-language checklist before installing/running: - Expect local files: the skill will create/modify files under your home directory (e.g., ~/.openclaw/super-brain.db, vector DB folder, and ~/.openclaw/workspace/TOOLS.md). Back up anything there you care about. - Environment variable: the runtime code reads USER_ID from the environment but the skill metadata does not declare it. Ensure your agent supplies an appropriate user identifier (or inspect/modify the code to use a safe id source) before letting it run automatically. - Privacy defaults: by default it stores conversations and mood and does not enable encryption. If you will store sensitive data, change privacy_settings (store_conversations, encryption_enabled) to be conservative or enable encryption and auto-delete policies before use. - File/schema mismatches: the package contains several scripts that reference tables or features that may not be present in the bundled schema. Expect runtime errors; review references/schema.sql and the scripts for missing tables (e.g., knowledge_gaps, ethical_constraints, self_evolution_log, agent_outputs) and either add them or adjust code. - Inspect code before running: there are no external network downloads in the bundle, but the code will run on your machine and write to disk. Skim the scripts (install.py, init_db.py, auto_record.py, vector_memory.py, data_manager.py, ethics_engine.py) for any changes you don’t want. Look especially for any unexpected subprocess/network calls (none were found in this bundle), hidden endpoints, or telemetry usage (vector module sets anonymized_telemetry=False for ChromaDB if used). - Test in isolated environment: if possible, run init_db and the scripts in a disposable account/container or with a test user_id to confirm behavior. Verify ethics_engine and privacy settings actually enforce filtering and that auto-delete works. - If you plan to enable this for real users: enable encryption, reduce retention (auto_delete_days), and ensure the agent only reads/writes the intended DB path. Also consider adding an explicit opt-in prompt to users before the skill stores their data. If you want, I can: - point out exact lines where env/db path mismatches occur, - produce a short patch to make DB path consistent and to require explicit USER_ID in metadata, - or summarize which tables referenced by scripts are missing from the provided schema.

Review Dimensions

Purpose & Capability: noteName/description (persistent cross-session memory) align with the included code: DB init, memory/vector modules, auto-recording, reminders, and an ethics engine. However, the SKILL.md and scripts disagree on default DB paths (SKILL.md and many scripts use ~/.openclaw/super-brain.db, init_db defaults to ./brain.db), and some code references tables that may not exist in the provided schema (e.g., references to knowledge_gaps/self_evolution_log/ethical_constraints/agent_outputs appear in scripts but schema/sql fragments are incomplete or mismatched). These mismatches suggest sloppy packaging and can cause runtime errors or surprises.
Instruction Scope: concernSKILL.md mandates a 'must run on every session' startup flow that reads a local SQLite DB and applies preferences before handling any user message. It also instructs running scripts/install.py which modifies files under the user's home (~/.openclaw/workspace/TOOLS.md). The instructions access an environment variable USER_ID (os.environ.get('USER_ID')) even though no env vars are declared in metadata. The startup snippet in TOOLS.md embeds inline Python that references objects (Path) inconsistently. Mandating a per-session local DB read and automatic activation is scope-expansive and requires the agent to access user home files and environment each session — appropriate for a memory skill but risky if you didn't expect that behavior.
Install Mechanism: noteThere is no network/install spec — the skill is packaged with Python scripts and SKILL.md. Installation is manual: running scripts/install.py will write/modify ~/.openclaw/workspace/TOOLS.md and the skill expects you to run init_db/install scripts. No remote downloads or external URLs are used, which reduces supply-chain risk; however the package will create files and a database in the user's home directory when installed/run.
Credentials: concernMetadata declares no required env vars or credentials, yet code and SKILL.md read os.environ['USER_ID'] (and generally depend on being able to read/write files under the user's home). Privacy defaults store_conversations=True and encryption_enabled=False, meaning conversation history is stored by default unencrypted. The ethics engine exists but relies on DB tables (ethical_constraints) that may not be present. Overall the skill requests access to local files and user identity implicitly without declaring it, and will retain user data unless you change defaults.
Persistence & Privilege: noteThe skill does not set always:true and does not request elevated system-wide privileges. It persists data locally (~/.openclaw/super-brain.db and vector DB path). The install script will modify a TOOLS.md in ~/.openclaw/workspace; that is a persistent change in the user's workspace (expected for a memory skill) but should be noted. Autonomous invocation is permitted by default (disable-model-invocation=false) which combined with the per-session startup requirement increases the impact if the skill behaves unexpectedly — but autonomous invocation alone is platform-normal.