Destructive delete command
Warn
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
Self Learning Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is aligned with self-learning, but it can persistently rewrite the agent’s memory/instruction files and inject learned reminders into future sessions, so it needs careful review before use.
Install this only if you are comfortable with the agent modifying its long-term memory and behavior files. Start with dry-run mode, back up your workspace, review every proposed memory/config change, keep the OpenClaw hook disabled unless you want cross-session reminders, and remove or restrict any tool permissions you do not need.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A mistaken, sensitive, or prompt-injected conversation detail could become long-term memory or a future instruction for the agent.
Why it was flagged
The skill persists conversation-derived content into long-term memory and agent instruction/configuration files, and repeated patterns can be promoted automatically into files that influence future behavior.
Skill content
分析过去 24 小时的对话内容 ... 自动更新 8 个核心配置文件 ... Recurrence-Count >= 3 自动提升
Recommendation
Use dry-run/manual review first, restrict the workspace, inspect proposed changes before writing, and require explicit approval before promoting entries into SOUL.md, AGENTS.md, TOOLS.md, BOOTSTRAP.md, or HEARTBEAT.md.
What this means
Future sessions may be steered toward processing learned records before or alongside the user’s current request.
Why it was flagged
The hook can insert reminders into the agent context immediately after the system prompt, based on persistent learning records.
Skill content
return {
action: 'inject',
message: reminder,
position: 'after_system'
};Recommendation
Enable the hook only if you want this persistent behavior, keep .learnings content trusted and reviewed, and disable the hook when doing sensitive or unrelated work.
What this means
The skill’s available authority may extend beyond reading history and updating memory, potentially allowing messages to be sent into sessions if the agent uses that tool.
Why it was flagged
Read, Write, Bash, and session-history access fit the memory-update purpose, but SessionsSend grants active session-messaging authority that is not clearly scoped or justified in the provided workflow.
Skill content
allowed-tools: - Read - Write - Bash - SessionsList - SessionsHistory - SessionsSend
Recommendation
Remove SessionsSend unless it is necessary, or require explicit user approval and clear scoping for any session-sending action.
What this means
Users may believe destructive memory edits always require confirmation when some configurations or defaults may not enforce that.
Why it was flagged
The runtime default shown in the code disables delete confirmation, while the documentation advertises deletion protection; this matters because the skill’s AI update flow can add, update, or delete memory/configuration content.
Skill content
'safety': {
'require_confirm_for_delete': False,
'max_delete_count': 10,Recommendation
Set `require_confirm_for_delete: true`, run in `--dry-run` mode before applying changes, and require review for any delete or cleanup operation.
What this means
A future dependency version could behave differently from the version the publisher tested.
Why it was flagged
Dependencies are installed from version ranges rather than locked versions; this is normal for many projects but gives less reproducible provenance.
Skill content
PyYAML>=6.0 ... pytest>=7.0.0 ... black>=22.0.0 ... flake8>=4.0.0
Recommendation
Install in an isolated environment and consider pinning or reviewing dependency versions before use.