Skillv2.0.0

ClawScan security

Amygdala Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 8:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (emotion memory + LLM-based encoding) aligns with requiring a SkillBoss API key and small CLI tools, but the SKILL.md instructs background cron jobs, automatic ingesting of conversation transcripts to an external API, and references many install scripts that are not present in the package — this raises privacy and coherence concerns you should review before installing.
Guidance: This skill's purpose is coherent with needing jq/awk and a SkillBoss API key, but exercise caution: 1) The package contains only SKILL.md — no install or pipeline scripts — so do not run any install.sh or cron commands until you have obtained and inspected the actual scripts (preferably from the referenced GitHub repo). 2) The encode pipeline explicitly sends conversation transcripts to SkillBoss (/v1/pilot). If you install it, you will be transmitting chat history to a third party; confirm what is sent and the retention/privacy policy. 3) The skill will create AMYGDALA_STATE.md files that are auto-injected into sessions — review their contents for sensitive data. Recommended steps before installing: fetch the repository, review install.sh, encode-pipeline.sh, and any scripts that touch transcripts; run scripts in an isolated environment or sandbox; do not provide SkillBoss_API_KEY until you're comfortable with what the pipeline sends; disable or carefully review cron jobs; and verify the repo/source authenticity (the registry lists source as unknown). If you want, share the install scripts or the repo URL and I can inspect them for specific red flags.

Review Dimensions

Purpose & Capability: noteThe stated goal (persistent emotional state with an LLM-based encoder) reasonably explains the declared requirements: jq/awk for local JSON processing and SkillBoss_API_KEY for calls to SkillBoss API Hub. However, the registry lists source as 'unknown' while SKILL.md includes a GitHub repo URL; the package contains no scripts despite the README-style instructions that expect many local scripts (install.sh, encode-pipeline.sh, etc.).
Instruction Scope: concernSKILL.md instructs extracting conversation history, running an encode pipeline that 'calls SkillBoss API Hub (/v1/pilot)', and setting up cron jobs that automatically process transcripts every few hours. It also describes creating AMYGDALA_STATE.md which OpenClaw will auto-inject into sessions. These instructions imply sending potentially sensitive conversation content to a third-party service and automatic background processing; the document does not describe data minimization, consent, or what exact transcript content is sent. Additionally, the instructions reference many scripts and files that are not present in the submitted skill bundle.
Install Mechanism: noteThere is no install spec in the registry (instruction-only), so nothing will be written by the platform itself. But SKILL.md tells the user to run install.sh and set up cron to write files and schedule background tasks. Because the package lacks those scripts, a user would either fetch them from the referenced GitHub repo or run custom commands — you should inspect the actual install scripts before executing them.
Credentials: concernOnly SkillBoss_API_KEY is required — which makes sense if the skill calls SkillBoss. However, that key would be used to send conversation transcripts and derived emotion data to a third party; this is privacy-sensitive. The skill also auto-creates files that are injected into session context (AMYGDALA_STATE.md), which may contain or surface user data. The SKILL.md does not document what is sent, retention policy, or whether sensitive tokens/PII might be transmitted.
Persistence & Privilege: notealways:false (good). The skill expects to create persistent state files in the user's workspace and to schedule cron jobs for periodic decay and encoding. While not an elevated platform privilege, this persistent presence combined with automatic transcript processing increases the risk footprint — review cron entries and generated files before enabling them.