ClawHub

Skill Cortex Pub

v1.0.1

Skill Cortex is the system's capability cortex. When lacking ability, it autonomously acquires Skills from ClawHub or GitHub, then releases them after use. E...

2· 330·1 current·1 all-time
byAnk Wu@ankwu001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match what the SKILL.md instructs: it routes tasks, searches ClawHub/GitHub, installs via the clawhub CLI, executes, learns, and uninstalls. Requiring the clawhub binary is appropriate and expected.
!
Instruction Scope
The instructions read/write a persistent local file (~/.openclaw/skill-cortex/cortex.json) and instruct the agent to search ClawHub and GitHub and to install/uninstall Skills via clawhub. Most actions are scoped to the stated purpose, but two operational behaviors raise concerns: (1) reflex mode can skip the execution-plan confirmation and install/execute a candidate after only a user notification (the skill says 'Say cancel to abort'), which weakens explicit consent; (2) entity filtering (removing PII from signal words) is delegated to the LLM's judgment rather than enforced by a deterministic routine, which risks accidental storage of sensitive identifiers.
Install Mechanism
This is instruction-only and has no install spec, so it does not drop or execute third-party archives itself — it relies on an existing clawhub CLI to perform network installs. That is a lower-risk pattern, provided the clawhub client and remote sources are trusted.
Credentials
The skill declares no required environment variables or config paths (appropriate). It will record environment variable NAMES (e.g., TODOIST_API_KEY) in structured lessons but explicitly says never to store values. This is reasonable, but storing the names and other routing metadata in a persistent file increases privacy sensitivity if that file were later read or exfiltrated.
!
Persistence & Privilege
The skill writes and updates a persistent cortex.json and will install/uninstall third-party Skills using clawhub. While this fits the stated role, reflex mode combined with autonomous invocation means the agent could install and execute cached Skills with only a notification (not an explicit confirmation), which increases the risk of unintended installs or execution—especially in headless or unattended runs. The skill does not claim to modify other skills' configs, which appears respected.
What to consider before installing
What to consider before installing Skill Cortex: - Understand reflex mode: If a candidate becomes a 'reflex', the skill can skip the execution-plan confirmation and proceed after showing a notification that you must actively cancel. If you run agents unattended or are unsure how notifications are surfaced, this can lead to automatic installs/execs. Ask for a configuration option that requires explicit approval for all installs. - Trust the clawhub client and sources: The skill calls 'clawhub install' and may supplement ClawHub results with GitHub search results (marked unreviewed). Make sure your clawhub CLI is official and that you trust ClawHub/GitHub packages you may allow to be installed. Consider running this in an isolated environment (container/VM) if you allow automatic installs. - Persistent file privacy: The cortex stores routing signals and structured lessons at ~/.openclaw/skill-cortex/cortex.json. The SKILL.md requires stripping PII before writing, but that filtering is performed by the LLM instructions rather than an auditable enforcement layer. Inspect the cortex.json contents occasionally and consider encrypting or restricting its permissions. - Confirm entity-filtering & auditing: If you rely on the 'entity filtering' guarantee, ask for deterministic checks (or code) that validate the filtering, or plan to review the created cortex.json to ensure no personal data or filenames leaked in practice. - Limit capabilities if needed: If you want stronger guarantees, request configuration options such as: require explicit user approval for all installs (no reflex auto-installs), disable GitHub-supplemented installs, log and prompt before any network install, and run installs in a sandbox. - Low-risk deployment: If you still want to try it, run Skill Cortex in a controlled/test environment first, verify how it surfaces install prompts (especially reflex notifications), and review the contents of ~/.openclaw/skill-cortex/cortex.json after a few runs. If you want, I can list specific configuration checks or suggested guardrail settings to request from the skill author (e.g., disable reflex promotion, require explicit consent for GitHub-sourced Skills, or provide an allowlist for installable slugs).

Like a lobster shell, security has layers — review code before you run it.

latestvk97e1g6jfwyf6et254tns6nrdx81yvz3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsclawhub

Comments