Skillv1.0.0

ClawScan security

self-improving-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 3:51 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are largely consistent with a tool that reads and curates Claude Code auto-memory; nothing in the bundle attempts to exfiltrate secrets or reach out to external servers, but there are a few internal inconsistencies to be aware of before installing.
Guidance: This package appears to do what it says: read Claude auto-memory files, analyze them, and help you promote or extract rules/skills. Before installing or enabling the hook, consider the following: - Behavior vs. docs: the README/CLAUDE.md say the error-capture hook appends structured entries to auto-memory on errors, but the provided hook script only prints an <error-detected> message to stdout (it does not modify MEMORY.md). If you expect automatic writing, confirm or modify the hook to match that behavior. - File writes: /si:promote and /si:extract workflows are documented to create or edit CLAUDE.md, .claude/rules/, and project skill folders. If you enable promotion/extraction, these commands will write to your project and ~/.claude — make sure you trust and review changes (and have backups or git) before allowing them to run automatically. - Hook scope: installing the PostToolUse hook means the script will run after Bash tool invocations and will examine CLAUDE_TOOL_OUTPUT. That output could contain snippets from commands you run — the hook only extracts short error context and prints it, but be aware it will run on command output in your environment. - No network exfiltration observed: there are no outbound network calls or remote downloads in the bundle. Still, review generated files before publishing them (extracted skills, promoted rules) to avoid accidentally committing sensitive local paths or secrets to repo-controlled CLAUDE.md/rules. If you want higher assurance, enable the hook and promotion commands in a disposable/testing project first, inspect exact file modifications they perform, and (if desired) update the hook to append to MEMORY.md only after an explicit, auditable consent step.

Review Dimensions

Purpose & Capability: okThe skill declares it curates auto-memory (MEMORY.md → CLAUDE.md/.claude/rules/ and can generate skills). The files and agents explicitly read ~/.claude/projects/.../memory and project CLAUDE.md and rules/ directories — access that is required for this purpose. No unrelated credentials, binaries, or network endpoints are requested.
Instruction Scope: concernMost runtime instructions stay within the stated domain (reading auto-memory, analyzing entries, suggesting promotions, generating SKILL.md). However there are internal inconsistencies: (1) agents/memory-analyst.md explicitly says 'Never modify files directly — only analyze and report', while skills/promote/SKILL.md and /si:promote workflow describe editing CLAUDE.md, creating .claude/rules/ files, and removing entries from MEMORY.md (i.e., modifying files). (2) Documentation and README claim the error-capture hook 'appends a structured entry to auto-memory' on errors, but hooks/error-capture.sh only prints a concise <error-detected> message to stdout and does not append to MEMORY.md. These mismatches mean the behavior you read in prose may not exactly match what will be executed — verify which behavior you want before enabling write operations or the hook.
Install Mechanism: okThis is an instruction-only skill (no install spec that downloads external code). The only executable file is a small local bash hook. No remote installs, archives, or package downloads are present in the provided manifest.
Credentials: noteThe skill declares no required environment variables or credentials. The hook expects platform-provided CLAUDE_TOOL_OUTPUT and uses HOME/pwd paths to locate memory files — these are reasonable for a memory-curation tool. No unrelated secret or cloud credentials are requested. The skill will read (and in some flows write) files under ~/.claude and the project directory; that file access is necessary for its purpose but is elevated in that it touches user-level configuration and project files.
Persistence & Privilege: okalways is false and the skill is user-invocable; the only persistence comes from normal file writes (promote/extract/remember operations that create or modify CLAUDE.md, .claude/rules/, MEMORY.md, or local skill folders). The hook being installable into .claude/settings.json gives it automatic invocation on PostToolUse but this is a normal plugin hook pattern. No skill-level setting forces always-enabled or otherwise escalates privilege beyond file reads/writes in user/home/project spaces.