Skill Cortex Pub
ReviewAudited by ClawScan on May 10, 2026.
Overview
This meta-skill is not clearly malicious, but it deserves review because it can install other skills, remember learned routes, and let some future workflows run with reduced confirmation.
Install only if you are comfortable letting the agent propose and temporarily install other skills. Require explicit approval for every acquired skill, avoid unreviewed GitHub sources, inspect or reset ~/.openclaw/skill-cortex/cortex.json periodically, and do not allow reflex mode for workflows involving credentials, network APIs, private files, or account changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or compromised acquired skill could add unsafe instructions or actions to the agent's environment.
The skill asks the agent to bring in and run third-party skills, including from GitHub, but the artifacts do not define strong source trust, pinning, review, or containment rules for those acquired skills.
When lacking ability, it autonomously acquires Skills from ClawHub or GitHub, then releases them after use.
Approve each install only after reviewing the candidate source, version, permissions, and safety information; prefer trusted and pinned sources.
Future tasks may run learned read/network/API workflows with less review than the first execution.
Reflex mode can skip execution-plan confirmation based only on absence of write/delete/shell tags. The schema also models side effects like env reads and network calls, which are not excluded by the reflex rule.
Promotion Conditions ... side_effects contains no `write:`, `delete:`, or `shell:` prefix ... Reflex skips only the "execution plan confirmation"
Treat credential use, network calls, broad file reads, and account access as non-reflex actions unless the user has explicitly allowlisted that exact skill and scope.
Incorrect, stale, or tampered memory could cause the agent to choose the wrong skill or skip normal discovery and review steps later.
The persistent cortex file directly influences future semantic matching, skill selection, weighting, and reflex behavior across tasks.
Cortex data file: ~/.openclaw/skill-cortex/cortex.json ... Update the cortex memory. Successful Skills gain weight; failed ones decay.
Make cortex updates inspectable, validate the file schema, restrict file permissions, and give users an easy way to reset or disable reflex memory.
A selected skill may act with the authority of already-configured account credentials, even though this skill itself does not store the secret value.
The design contemplates skills that use environment-based credentials and network APIs. It says not to store credential values, which is good, but the presence of credential-backed routing is important for users to notice.
"side_effects": ["read:env:TODOIST_API_KEY", "network:api.todoist.com"] ... Record only the variable name ... never the value.
Review any candidate skill that reads environment variables or uses account APIs, and require confirmation before it performs credential-backed actions.