ClawHub
Back to skill
v1.0.2

Openclaw Ability Export

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:16 AM.

Analysis

This instruction-only skill is transparent, but it can expose private agent memory and overwrite persistent agent configuration files, so users should review it carefully before use.

GuidanceInstall and use this only if you are comfortable letting the agent read, export, and overwrite the five named workspace configuration files. Before exporting, consider excluding or redacting MEMORY.md. Before importing, back up existing files and inspect the full package contents rather than approving an all-files import from an unknown source.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
文件已存在时,**覆盖写入**(非追加) ... 导入会直接覆盖同名已有文件,操作不可逆。

The import workflow instructs the agent to overwrite existing workspace configuration files and states that the operation is irreversible.

User impactExisting agent configuration or memory can be lost or replaced if the user approves the wrong package or a bulk import.
RecommendationBack up the five target files before importing, require per-file confirmation with visible diffs, and avoid approving bulk imports unless the package is trusted.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusConcern
SKILL.md
导入流程 ... 将选中的 section 内容写入 workspace 根目录对应文件 ... AGENTS.md ... SOUL.md ... MEMORY.md

The skill writes sections from an imported ability package into files that define future agent rules, personality, identity, tools, and long-term memory.

User impactA malicious or poorly reviewed ability package could persistently change how the agent behaves or what it remembers in future sessions.
RecommendationOnly import packages from trusted sources; review the full content or diff of every selected section, especially AGENTS.md, SOUL.md, TOOLS.md, IDENTITY.md, and MEMORY.md, before approving.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
默认导出 | 导出全部五个核心文件 ... `MEMORY.md` | 长期记忆与偏好记录 ... 发送到聊天

Export includes MEMORY.md by default and sends the generated Markdown package into the chat.

User impactThe exported package may contain personal preferences, conversation history, identity details, or local tool notes that could be shared further by mistake.
RecommendationUse the option to exclude MEMORY.md when sharing outside a trusted context, and review or redact the generated Markdown before forwarding it.