Skillv1.0.1

ClawScan security

Hierarchical Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 8:53 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (creates and links markdown memory files) but the included script hardcodes absolute /root workspace paths and does not sanitize inputs, which could allow unintended writes outside the intended area — this mismatch with the SKILL.md security claim is concerning.
Guidance: This skill is plausibly doing what it says (creating memory files) but has unsafe implementation details you should consider before installing or running it: - Risk: The included script hardcodes /root/.openclaw/workspace paths and does not validate branch names or parent paths. A crafted name like "../somewhere" could cause the script to write or append files outside the intended memory folder (directory traversal). - What to do before running: Inspect or patch scripts/add_branch.py. Prefer changes such as: - Use a configurable or relative workspace path rather than an absolute /root path. - Normalize and validate names (reject path separators), and use pathlib to resolve and ensure the target is inside the intended base directory (compare abspath prefixes). - Limit file modes and avoid appending to arbitrary files without validation. - Operational advice: Run the skill only in an isolated agent workspace or sandbox (not on a host with sensitive files), avoid running it with root privileges, and avoid giving the agent broad autonomous invocation rights until you vet the script. If you expect to store sensitive data in memory files, consider encrypting them or restricting who/what can read them. If you cannot or will not review the script, treat the skill as potentially unsafe and avoid installing it on production or sensitive systems.

Review Dimensions

Purpose & Capability: noteThe name/description (hierarchical memory management) matches the included script's behavior: creating directories and markdown files under a memory workspace and appending links. However, the script hardcodes absolute paths (/root/.openclaw/workspace/...), which is brittle and can have broader filesystem effects depending on the runtime environment. For a memory-management skill this is mostly reasonable, but the choice of absolute root paths (instead of a relative or configurable workspace path) is disproportionate and risky.
Instruction Scope: concernSKILL.md claims the script "does not perform any network activity, access sensitive system files, or execute external code." The script itself performs local file system writes and appends to files under /root/.openclaw/workspace. More importantly, it does not sanitize user-provided names or parent paths: passing names with path separators (e.g., '../') could result in directory traversal and writing/appending outside the intended memory folder. This contradicts the strong safety claim in SKILL.md and grants broad write capability based on uncontrolled input.
Install Mechanism: okThere is no install spec (instruction-only) and the code footprint is small (one Python script). No external downloads or package installs are requested. This is low-risk from an install/execution perspective, provided the script is reviewed and run in an appropriate sandbox.
Credentials: noteThe skill requests no environment variables or credentials, which aligns with its purpose. However, the script's hardcoded absolute paths presume a specific runtime layout and root-accessible paths; that assumption is not justified in the metadata and could cause the script to operate outside intended boundaries on some deployments.
Persistence & Privilege: okThe skill is not marked always:true and does not attempt to change other skills or system-wide configuration. Its only persistent effect is writing/append to files under the workspace. That persistence is expected for a memory-management tool, though the lack of input sanitization raises the risk of unintended persistent changes.