Skillv1.0.2

ClawScan security

openclaw-reflect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 23, 2026, 3:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match its stated purpose (automated self‑improvement), but there are a few non-trivial, unexplained risks you should understand before installing — notably automated edits to core agent files, external evaluator calls that transmit MEMORY and sample inputs, and an autonomous payment flow in the repo.
Guidance: What to consider before installing: - Data exfiltration: If you set ANTHROPIC_API_KEY/OPENAI_API_KEY or point to an Ollama host, the skill will send an excerpt of MEMORY.md and sample input summaries to those services for evaluation. Do not enable remote evaluators if your MEMORY.md or tool inputs contain secrets or sensitive data. - Automatic file changes: The skill can auto-append to MEMORY.md and CLAUDE.md when confidence thresholds are reached. Review the apply/rollback logic, test in a sandbox workspace, and consider requiring operator approval (avoid --auto) until you trust thresholds and outputs. - Payment capability: The repository includes a voluntary payment flow (AGENT-PAYMENTS.md) that shows how an autonomous agent could POST to a local x402 endpoint to make contributions. Ensure your agent cannot make payments without explicit human authorization and that localhost endpoints are protected. - Audit artifacts: After installation, monitor .reflect/ (outcomes.jsonl, proposals.json, pending.json, applied.jsonl, snapshots/) and review pending proposals before approving. Use rollback.js to revert undesired changes and verify snapshots are created as expected. - Prompt content: The evaluator prompts enforce exact output formats; this is by design but increases the impact of a compromised evaluator backend. If you must run evaluation remotely, prefer a private Ollama instance or rule-based fallback. If you want to proceed: install and run the skill in a restricted test workspace first, do not provide remote API keys initially, and manually review any queued proposals before approval. If you decline automatic application, run apply.js only with explicit --id --approve commands.
Findings: [system-prompt-override] expected: The evaluator prompts (assets/evaluator-prompt*.md) intentionally instruct a strict output format and a skeptical/adversarial persona; the pattern detector flagged system-prompt style content. This is expected for a separated evaluator but could be abused if the included prompts are used elsewhere or if the evaluator backend is compromised.

Review Dimensions

Purpose & Capability: okName/description (self‑improvement, reflection, rollback) matches behavior: hooks record outcomes, classify/propose/evaluate/apply pipeline, and snapshot/rollback. Declared file writes (.reflect/, MEMORY.md, CLAUDE.md) line up with the actions performed by scripts.
Instruction Scope: concernAt session end the skill automatically runs a pipeline that can generate proposals and (subject to thresholds) append content to MEMORY.md and CLAUDE.md. The evaluator step will send an excerpt of MEMORY.md and sample input summaries to external model backends (Anthropic/OpenAI/Ollama) when API keys/hosts are present — this transmits agent context to third parties. Hooks capture tool input summaries (JSON.stringify of tool_input) which could include sensitive snippets. The pipeline is best‑effort but automatic; instructions and code give the agent broad discretion to create and apply changes to persistent files.
Install Mechanism: okNo install spec (instruction-only skill with checked-in scripts). All code is in the skill bundle — there are no external downloads or package installs. That reduces supply-chain risk compared to remote fetches.
Credentials: noteNo required environment variables, but optional keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, OLLAMA_HOST/PORT) are available to enable remote evaluation. Those are appropriate for the evaluator feature, but enabling them will send memory and proposals to external services. The repo also contains an AGENT-PAYMENTS.md describing an x402 local HTTP payment API (http://localhost:18789) and example endpoints for autonomous contributions — this adds a side‑effect capability unrelated to core reflection logic and deserves operator review.
Persistence & Privilege: notealways:false (normal). The skill auto-applies Tier 1/2 changes if confidence thresholds are met and can queue Tier 3 for operator approval. That means it can autonomously mutate MEMORY.md and CLAUDE.md (and write snapshots) — this is consistent with its purpose but is a powerful capability and increases blast radius if combined with autonomous invocation and external evaluators.