Skillv1.0.0

ClawScan security

xiaobai-memory-guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 12:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (scanning agent memory files) is plausible, but the package contains no runnable code and its instructions require cloning and executing an external GitHub repo (unreviewed code) — a mismatch that increases risk.
Guidance: Do not clone or run the remote repo until you inspect its code. This package is documentation-only and references a scripts/memory-guard.mjs that is not included — the author instructs you to git clone a third‑party GitHub repo to obtain and execute that script. Before installing or scheduling it: 1) review the repository (scripts/memory-guard.mjs and any dependencies) for network calls, credential access, or data exfiltration; 2) run it in an isolated sandbox or ephemeral environment first; 3) avoid adding it to session startup or cron until you trust the code; 4) prefer a skill bundle that includes its code or an install spec so the code can be scanned/reviewed. If the upstream repo is provided and you can verify the script's behavior (no unexpected outbound connections, no secret harvesting), the coherence concerns would be resolved and the risk would be lower.

Review Dimensions

Purpose & Capability: noteThe skill's stated goal (detect missing memory files, validate continuity, compare git history) aligns with the actions described in SKILL.md (ls directories, read SESSION-HANDOFF.md, compare git log). However, the published package contains only documentation (SKILL.md, READMEs) and does not include the referenced runtime script (scripts/memory-guard.mjs). The README instructs users to git clone a third-party GitHub repo to obtain the script — this external dependency is necessary for the capability but is not included in the skill bundle, creating an incoherence between what is provided and what is required.
Instruction Scope: noteInstructions explicitly tell an agent/operator to run a node script that will list and read workspace files (memory/, notes/, SESSION-HANDOFF.md) and compare git logs — these file accesses are consistent with the stated purpose. However, SKILL.md also recommends integrating the script into session startup and cron jobs and instructs cloning code from an external repo before running; that places trust in external code execution which is outside the packaged skill and expands runtime authority.
Install Mechanism: concernThere is no formal install spec in the package. SKILL.md instructs the user to run `git clone https://github.com/aptratcn/skill-memory-guard.git` to get the runnable script. Fetching and executing code from an external/third-party GitHub repository is higher-risk than an instruction-only skill because the fetched code could perform arbitrary I/O or network operations; the skill bundle gives no assurance the remote repo is safe. The GitHub host is a known service (lower risk than a personal server/IP), but the repo owner is not verified in the package metadata and the actual script is not present for review in this bundle.
Credentials: okThe skill requests no environment variables or credentials in metadata. The runtime behavior (reading local memory files, SESSION-HANDOFF.md, and git logs) is proportionate to the purpose and does not on its face require secrets. Still, reading workspace files can expose sensitive content (user data, tokens if stored in files), so filesystem access should be treated as sensitive even when no env vars are requested.
Persistence & Privilege: noteThe skill metadata does not force persistent inclusion (always:false). SKILL.md recommends integrating the script into startup flows and cron jobs, which would grant it recurring execution on the host if the operator follows the instructions. That persistence is encouraged by the documentation but is not enforced by the registry metadata — it increases blast radius only after a user installs and schedules the external script.