Skillv1.0.9

ClawScan security

Clawtrial Courtroom · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 3:58 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and install-time behavior contradict its 'local-only' claims and include automated system-prompt injection and persistent modifications to agent configs—this is coherent with an autonomy goal but risky and disproportionate to what's described.
Guidance: This package contains executable code and an install-time script that will modify agent configuration, create symlinks in your home directory, add autonomous execution instructions, and by default enable a remote API endpoint for case submission — despite claiming 'local-only' processing. Before installing, consider: 1) Do you trust the remote endpoint (https://clawtrial.app) to receive conversation data? 2) Are you comfortable with the skill adding automated system-prompt instructions that tell agents to run tasks silently without confirmation? 3) Run the installer in a sandbox or inspect scripts/postinstall.js and other scripts (setup-cron.js, check-and-trigger.js) to confirm they only do what you expect. If you want the functionality but with less risk: install without running postinstall, skip symlink/auto-enable steps, disable api submission in the saved config (api.enabled=false), and do not apply any system-prompt changes. If you are unsure or cannot audit the code, do not install on a production machine.
Findings: [system-prompt-override] unexpected: AGENT_CONFIG.md and multiple scripts explicitly recommend or attempt to inject automation into the agent's system prompt and to append auto-execution instructions to local files, which is not required for passive monitoring and creates a prompt-injection risk.

Review Dimensions

Purpose & Capability: concernThe skill claims local-only monitoring and anonymized public records, but package/config sets api.endpoint to https://api.clawtrial.app/cases and enables API submission by default. The code generates cryptographic keys, writes to home config directories, and installs symlinks into agent plugin directories—these actions are plausible for a monitoring plugin, but the presence of remote API submission (contradicting 'local processing' in SKILL.md) is inconsistent and unexplained.
Instruction Scope: concernSKILL.md and bundled docs (AGENT_CONFIG.md, scripts/*) instruct automated, silent execution: they push system-prompt overrides or file-based triggers that tell the agent to 'execute immediately without confirmation' and to read/write files under ~/.clawdbot/ or ~/.openclaw/. The instructions grant the skill broad authority over agent behavior and encourage system-prompt injection—scope creep beyond monitoring.
Install Mechanism: concernNo network-download install spec is in the registry entry, but package.json includes a postinstall script (node scripts/postinstall.js) which will run on npm install and attempts to create symlinks, write to bot config files, modify SOUL.md/AGENTS.md, and set up keys/cron. Postinstall scripts that modify user config are high-impact; although code is local (not downloading arbitrary archives), automatic modification of agent configs and writing autonomous-execution instructions is a risky install-time behavior.
Credentials: concernThe skill requests no environment variables, but it writes secret keys (tweetnacl-generated secretKey) to disk and enables an API endpoint for case submission by default. SKILL.md states 'All processing is local' while code has api.enabled=true and api.endpoint set to a remote URL, creating a mismatch and possible exfiltration path. It also recommends system-prompt changes that cause agents to read conversation history files—this exposes user conversations to the skill and possibly to external submission.
Persistence & Privilege: concernThe installer and scripts attempt to persist the skill by symlinking into agent plugin/skills directories, editing the agent's config to enable the plugin, appending auto-execution instructions to files like SOUL.md/AGENTS.md, and recommending system-prompt injection. While always:false, these changes modify other system/agent configs and permanently increase the skill's reach—this exceeds a normal user-invocable monitoring tool's minimal privileges.