Skillv0.2.0

ClawScan security

Proactive Daily Planner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 9:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a straightforward local daily-planner (coherent with its description) but there are small, unexplained red flags — a prompt-injection signal in SKILL.md and an unused child_process import in planner.js — that warrant manual inspection before installing.
Guidance: This skill otherwise appears to do what it says (local planning, templates, and saving plans). Before installing: 1) Inspect SKILL.md and README for any invisible/zero-width/unicode control characters (open in a hex-aware editor or run: sed -n l SKILL.md). 2) Inspect planner.js for any use of execSync or other runtime shell execution (it currently requires child_process but doesn't call it; confirm no hidden code paths call execSync). 3) Confirm you are comfortable with the skill writing files to ~/.openclaw/workspace/memory and with adding cron/heartbeat entries if you enable scheduling. 4) Run the installer and skill in a limited/testing environment first (or with a non-privileged user). 5) Prefer published skills with a verifiable homepage/repository; the package.json points to a GitHub repo — consider checking that remote repo's history and issues for additional context. If you find hidden characters or unexpected shell calls, treat the skill as unsafe and do not install it.
Findings: [unicode-control-chars] unexpected: The SKILL.md was flagged for containing unicode control/hidden characters. That pattern is commonly associated with prompt-injection attempts to alter parsing or hide instructions. SKILL.md otherwise looks normal; you should open the file in a hex or raw-text viewer to confirm no hidden characters or injected directives are present.

Review Dimensions

Purpose & Capability: okName/description align with the files and behavior. planner.js, templates, README, and config.json implement local planning, templating, and saving plans to ~/.openclaw/workspace/memory as described. Declared future integrations (calendar/email) are disabled in config and merely noted as planned features — this is consistent.
Instruction Scope: concernSKILL.md only asks to copy the skill into the OpenClaw skills directory, edit config.json, and optionally add cron/heartbeat entries; that is within scope. However the static scan flagged 'unicode-control-chars' in SKILL.md (possible prompt-injection encoding). Also SKILL.md and README encourage automatic scheduling/cron/heartbeat integration — if you enable auto-run you should be aware the skill will write files into your OpenClaw memory directory. Overall the instructions are reasonable but the prompt-injection signal in the SKILL.md is concerning and should be inspected (see scan_findings_in_context).
Install Mechanism: okNo remote downloads or package installs. scripts/install.sh copies files into your ~/.openclaw workspace, sets permissions, and optionally updates config.json (using jq if available). The installer runs node planner.js help as a smoke test. This is a low-risk local install pattern.
Credentials: noteThe skill requests no environment variables or external credentials. planner.js reads config.json and uses process.env.HOME/os.homedir() to expand paths (expected). One small concern: planner.js imports child_process.execSync (require('child_process')) but does not call it in the current code — that provides the capability to run shell commands if modified in future. Install script also calls timedatectl and uses whoami; those are reasonable for local setup but assume those utilities exist.
Persistence & Privilege: okThe skill is not 'always: true' and does not request system-wide privileges. It writes to its own skill directory and to ~/.openclaw/workspace/memory (its stated storage location). Installer updates only its own files; it does not modify other skills or global agent settings.