Skillv1.0.1

ClawScan security

Skill Cortex · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 6:32 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, required binary, and local data usage are broadly consistent with its stated purpose as a transient, learning capability manager, but it stores a local cortex file and has reflex shortcuts that you should understand before installing.
Guidance: This Skill is internally coherent and designed to manage its own temporary Skill installs, but review these points before installing: - Understand that Skill Cortex will create and update a local file at ~/.openclaw/skill-cortex/cortex.json that contains learned signal words, routing metadata, candidate Skill records, and recorded lesson entries (it claims to strip concrete personal entities and never store secret values). Treat that file as sensitive — if other third-party Skills can read or upload it, it could reveal what services you use. - The Skill will call `clawhub install/uninstall` to fetch third-party Skills. It asks for explicit approval in standard mode, but reflex mode skips execution-plan confirmation and shows a brief notification you must cancel if you object — reflex is explicitly blocked for Skills that declare write/shell/delete side effects. - The flow references searching GitHub if ClawHub results are sparse, but the SKILL.md does not declare which tool to use for GitHub searches (no `gh` binary required). Expect the agent to rely on whatever web/search capability it has available. - If you keep this Skill, protect the cortex.json file and limit which other Skills can read files in ~/.openclaw to avoid leakage of routing/data about your habits or environment. If these behaviors and local file storage are acceptable given your threat model, the skill appears consistent with its description. If you need stricter guarantees (no persistent local state, stronger confirmation for installs, or blocking any auto-search of external repos), request those changes or decline installation.

Review Dimensions

Purpose & Capability: okThe skill claims to find/install Skills from ClawHub/GitHub and to manage a local short-term memory; the only required binary is `clawhub`, which matches the documented install/uninstall commands. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: noteSKILL.md instructs the agent to read and write a local file (~/.openclaw/skill-cortex/cortex.json), to search ClawHub (and optionally GitHub), to install/uninstall Skills, and to read installed Skills' SKILL.md. Those actions are within the stated scope, but the GitHub search step is underspecified (no helper CLI declared) and the skill will persist structured metadata and signal words to disk — worth noting because those files reflect user behavior patterns.
Install Mechanism: okInstruction-only skill (no install spec, no downloaded archives). No on-disk installers are included by the package itself; it relies on the `clawhub` CLI to fetch other Skills.
Credentials: noteThis skill itself requests no environment variables or credentials. It records metadata about candidate Skills (including side-effect tags like `read:env:TODOIST_API_KEY`) and may record 'env_ready' lessons that include environment variable names (but not values). Storing these variable names and learned signal words in cortex.json could reveal which services you use if that file is later read or exfiltrated by another Skill — the skill documents entity filtering, which mitigates but does not eliminate that risk.
Persistence & Privilege: notealways:false (no forced global presence). The skill can be invoked autonomously by the agent (normal), and it supports a 'reflex' fast path that skips execution-plan confirmation (but still issues an install notification). Reflex behavior reduces friction and could cause quicker installs with only a brief 'say cancel to abort' window — the design forbids reflex for Skills with write/delete/shell side effects, which limits risk, but users should be aware of the reduced confirmation in reflex cases.