Skill Cortex Pub
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is openly a dynamic skill manager, but it can install and run third-party skills, including unreviewed sources, and its reflex mode can skip normal confirmation.
Install only if you are comfortable letting an agent manage other skills on demand. Review every candidate skill before approval, avoid GitHub/unreviewed sources unless you trust them, disable or tighten reflex mode for anything involving credentials or network access, and periodically inspect ~/.openclaw/skill-cortex/cortex.json.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A poor or malicious third-party skill could be installed and then followed by the agent, affecting files, accounts, or future behavior depending on that skill's instructions.
The skill directs the agent to dynamically acquire third-party skills, including GitHub candidates explicitly described as unreviewed, which can change the agent's runtime behavior.
When lacking ability, it autonomously acquires Skills from ClawHub or GitHub ... supplement with a GitHub search (mark as unreviewed source).
Restrict automatic acquisition to reviewed ClawHub skills by default, require explicit per-source approval for GitHub candidates, and pin versions or commits before installation.
The agent may run a remembered skill before the user has reviewed its current execution plan, side effects, or credential use.
Reflex mode changes the workflow from explicit confirmation to opt-out notification while still installing and executing another skill.
Reflex mode skips only the execution plan confirmation ... Will install and execute. Say cancel to abort.
Require an explicit yes/no approval before every install and execution, or at minimum disable reflex for any skill with network, credential, shell, write, or delete side effects.
A skill that reads API keys or account configuration could still be considered read-only and run through a reduced-confirmation path.
The documented side-effect model treats environment-token reads and network access separately from the write/delete/shell prefixes that block reflex promotion.
"side_effects": [ "read:env:TODOIST_API_KEY", "network:api.todoist.com" ] ... Skills with these prefixes can NEVER enter reflex mode
Treat any credential, token, session, or authenticated network access as sensitive and require explicit user approval each time before running such skills.
The local cortex file may reveal task categories and, if corrupted or poorly filtered, could steer future tasks toward the wrong skill.
The skill persistently stores learned task-routing signals and uses them to influence future skill selection.
Cortex data file: `~/.openclaw/skill-cortex/cortex.json` ... extract 2–4 signal words from the task description and merge into the corresponding region's pattern.
Periodically inspect or reset cortex.json, keep entity filtering enabled, and avoid allowing unrelated skills to read or modify this file.