Skillv1.0.0

ClawScan security

Auto Memory Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 5:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions mostly match its stated purpose (curating auto-memory into rules/skills), but there are inconsistencies between claimed behavior and the actual hook implementation and a few potentially surprising local-file operations you should review before enabling.
Guidance: This package appears to do what it says: it reads your auto-memory, identifies patterns, and can promote or extract them into rules or skills. Key things to check before enabling: - Hooks behavior: README and other docs say the error-capture hook "appends a structured entry to auto-memory," but the shipped hook script only prints a <error-detected> block to stdout (it does not append to MEMORY.md). Confirm whether your platform captures that output into memory automatically or whether the hook only notifies you and expects a manual /si:remember. Don't assume it writes to files. - File writes on promote/extract: /si:promote and /si:extract can create or modify local files (CLAUDE.md, .claude/rules/, skills/*) and remove entries from MEMORY.md. Make a backup of your memory/rules files or review changes interactively before allowing automatic writes. - Local file access is broad but relevant: the skill reads ~/.claude/projects/... and project files. That's necessary for its function, but be comfortable with it accessing those paths. - No network downloads or secret requests were found. Still, test in a safe environment (or with a dry-run option) to confirm the actual side effects match the documented behavior. If you want to proceed: run /si:review or /si:status in a dry-run mode first, inspect the proposed edits, and enable the hook only after confirming how your platform handles hook output.

Review Dimensions

Purpose & Capability: noteName/description match what the files do: analyze MEMORY.md, propose/promote rules, and extract portable skills. The included agents (memory-analyst, skill-extractor) and promote/remember/extract/review/status commands are coherent with that purpose. Minor note: some documentation claims the hook 'appends a structured entry to auto-memory' automatically, but the provided hook script only prints a structured message (does not append).
Instruction Scope: concernRuntime instructions explicitly tell the agent to read local memory directories (e.g. ~/.claude/projects/.../memory/, ./CLAUDE.md, .claude/rules/) and to run shell commands like grep, ls, find. That is appropriate for a local memory-curation tool, but it does mean the skill will read arbitrary files under the declared memory paths and the repository. The discrepancy between claimed automatic write-to-memory behavior and the hook script's actual behavior (prints guidance instead of writing) is an incoherence you should be aware of.
Install Mechanism: okNo install spec and no remote downloads: instruction-only with a small local hook script. This is low-risk from an installation standpoint because nothing is fetched from external URLs.
Credentials: okThe skill requires no credentials or external environment variables. The hook script expects CLAUDE_TOOL_OUTPUT in its runtime environment (provided by the host during PostToolUse), which is reasonable for a hook but is not declared as a required env var in metadata — a minor documentation gap rather than a secret-exfiltration signal.
Persistence & Privilege: notealways:false (normal). The skill includes actions that can write to project files (promote writes to CLAUDE.md or .claude/rules/ and can remove entries from MEMORY.md) — this is expected for the feature but is a write-level privilege to your repository and local Claude config, so you should explicitly confirm file writes before use.