Skillv2.1.0

ClawScan security

Divorce · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 4:37 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (organizing divorce information) is plausible and the included script is benign, but the SKILL.md references many missing scripts and documents and the package lacks provenance — these inconsistencies warrant caution before installation.
Guidance: This package contains one harmless Python script that logs financial items locally, but the manifest claims many other scripts and reference files that are missing and the skill has no homepage or publisher information. Before installing: (1) verify the missing scripts/references — ask the publisher or refuse install if you need the full functionality; (2) review any additional scripts or docs when/if provided; (3) be aware data is stored under your home directory (~/.openclaw/workspace/memory/divorce) — encrypt or sandbox that folder if it will hold sensitive information; (4) prefer skills from known sources or with a homepage; and (5) if you allow the agent to run it, expect runtime errors when it attempts to run absent scripts. These inconsistencies make the package suspicious but not clearly malicious.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (divorce support, financial inventory, deadlines, parenting plans) aligns with the one included script (financial_inventory.py). However SKILL.md repeatedly references many other scripts (compare_process.py, prep_attorney.py, parenting_plan.py, check_deadlines.py, log_document.py, track_expense.py, self_care_check.py) and multiple reference docs that are not present in the file manifest. That mismatch suggests the package is incomplete or mispackaged — the declared capabilities exceed the actual deliverables.
Instruction Scope: concernSKILL.md instructs the agent to run several scripts and store data under memory/divorce/. The included script writes to ~/.openclaw/workspace/memory/divorce which is consistent with local-only storage, but most runtime instructions point at non-existent files. An agent following the instructions may attempt to execute scripts that are not provided. SKILL.md's 'All divorce data stored locally only' is a policy statement but not programmatically enforced across missing components.
Install Mechanism: okThere is no install spec (instruction-only), and only a single Python script is included. No downloads, package installs, or archive extraction are present — this is low-risk from an install mechanism perspective.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The included script only reads/writes a directory under the user's home. The requested environment access is proportionate to the stated purpose.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does write files into a user-visible directory under the home directory (memory/divorce), which is expected for local data storage but not privileged. Autonomous invocation is allowed by default (normal) but not combined here with broad credentials or system-wide changes.