Skill Cortex
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it asks the agent to install and run other skills on its own, including unreviewed sources, and can later do so through an opt-out reflex path.
Only install this if you want a self-learning skill manager that can change your agent's capabilities. Prefer disabling reflex mode, approve every candidate explicitly, avoid unreviewed GitHub-sourced skills, inspect each installed skill's permissions and scan status, and periodically review or delete ~/.openclaw/skill-cortex/cortex.json.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future task could cause the agent to install and run another skill before you have reviewed that skill's commands, data access, or side effects.
The skill gives the agent broad authority to install a selected third-party skill and then execute that skill's instructions; in reflex mode, the execution-plan approval is skipped.
`clawhub install <slug>` ... `Follow the Skill's instructions to complete the task.` ... `Reflex mode skips this step.`
Require affirmative approval before every install and every execution, including reflex mode; show side effects and sensitive reads before running; consider disabling reflex by default.
A malicious, compromised, or misleading third-party skill could be selected from search results and then installed and executed if the user approves it.
The runtime candidate pool can include unreviewed GitHub sources, and the visible install flow uses a generic slug install rather than a pinned version/hash or a mandatory security gate.
If fewer than 2 relevant results, supplement with a GitHub search (mark as unreviewed source).
Prefer reviewed ClawHub sources, require pinned versions or hashes, block unreviewed GitHub fallback by default, and make scan status an enforceable policy rather than just displayed information.
Users may believe every install requires an affirmative approval even though the reflex path is described as proceeding unless they cancel.
This reflex wording is opt-out notification, which is weaker than the README's safety claim that nothing installs without explicit approval.
Installation still requires user notification: ... `Will install and execute. Say cancel to abort.`
Align the documentation and runtime instructions: either require explicit approval in reflex mode or clearly label reflex as opt-out automatic execution.
A learned route may later invoke a skill that uses your account credentials or API tokens, even if this skill itself does not declare credentials.
The cortex can remember that downstream skills use credential-bearing environment variables and network APIs, although the design says it stores only variable names, not secret values.
`read:env:TODOIST_API_KEY`, `network:api.todoist.com` ... `Record only the variable name ... never the value.`
Treat downstream skill credential access as part of each approval decision, and do not allow credential-using skills to run through reflex without explicit confirmation.
The local cortex file may reveal generic patterns of your tasks and could misroute future work if its learned entries become inaccurate or poisoned.
The skill persists learned task signals and uses them to route future tasks; entity filtering reduces privacy risk, but the memory can still influence future skill selection.
Cortex data file: `~/.openclaw/skill-cortex/cortex.json` ... extract 2–4 signal words from the task description and merge into the corresponding region's pattern.
Review or delete cortex.json periodically, keep entity filtering enabled, and require approval before learned routes can trigger installs or reflex execution.
The agent may become faster at repeating past install-and-run decisions, including decisions you may not want repeated later.
Autonomous self-evolution is the disclosed purpose of the skill, and there is no evidence of hidden background execution, but it means agent behavior changes across invocations.
autonomously find, install, use, and discard Skills ... learn from every interaction
Keep the cortex memory auditable, provide an easy reset/disable option, and avoid enabling reflex behavior for anything involving credentials, network access, or user data.