Temp Publish
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it can teach the agent to install and run other skills with opt-out reflex behavior and persistent routing memory, so users should review it carefully.
Install this only if you intentionally want an agent to manage other skills on demand. Prefer explicit approval for every candidate, avoid unreviewed GitHub sources unless you inspect and pin them, disable or tightly limit reflex mode, and periodically review or reset `~/.openclaw/skill-cortex/cortex.json`.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A learned route could cause the agent to add and run a third-party skill before the user reviews the full plan, changing what the agent can do during the task.
The skill can install a new skill and then execute that skill's instructions. In reflex mode, this can proceed after an opt-out notification rather than explicit execution-plan approval.
`clawhub install <slug>` ... `Follow the Skill's instructions to complete the task.` ... `Will install and execute. Say cancel to abort.`
Require explicit user confirmation for every install and execution plan, including reflex cases. Show the exact slug, version, source, and side effects before running any installed skill.
A read-only downstream skill could use existing credentials or query an external account without the user seeing the normal credential-use warning first.
Reflex eligibility excludes write/delete/shell side effects, but it does not clearly exclude read-only skills that use API keys, environment variables, account access, or network calls. The credential warning step is skipped in reflex mode.
Side-effect severity: ... `🔑 sensitive credentials` ... `Reflex mode skips this step` ... `No write side effects`
Disallow reflex mode for any skill with credential, session, account, auth-profile, or network side effects unless the user has explicitly approved that exact skill, version, and credential scope.
The agent may introduce and trust instructions from less-reviewed third-party sources, increasing the chance of unsafe or misleading skill behavior.
The skill may select candidates from GitHub, explicitly marked as unreviewed. The artifacts do not describe commit pinning, signature verification, or a constrained GitHub install workflow before the selected skill is executed.
If fewer than 2 relevant results, supplement with a GitHub search (mark as unreviewed source).
Prefer reviewed ClawHub skills, require explicit approval for any GitHub candidate, pin GitHub sources to immutable commits, and display provenance and scan status before installation.
If the memory becomes inaccurate, poisoned, or tampered with, future tasks may be routed to the wrong skill. The file can also reveal a local profile of task types and service names.
Persistent memory stores routing patterns, candidate weights, lessons, and reflex state, then uses that state to decide which skills to install and run in future tasks.
Cortex data file: `~/.openclaw/skill-cortex/cortex.json` ... `Every invocation is learned and reinforced` ... `future identical tasks fire as reflexes`
Keep the cortex file local and reviewable, add integrity checks or reset controls, log memory changes, and require explicit confirmation before memory-derived reflex routes execute.
A user may believe reflex mode still waits for a clear yes/no approval, when the operational instructions allow proceeding unless the user cancels.
This safety claim is stronger than the SKILL.md reflex flow, which describes installation and execution after notification with `Say cancel to abort`. That is opt-out, not explicit confirmation.
- All installations require user confirmation, even in reflex mode
Align the README and SKILL.md. Either make reflex require explicit confirmation or clearly disclose that it is opt-out and disabled for any sensitive or networked skill.