ClawHub

Cpppselfimprovingagent123123

v1.0.1

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

0· 304·1 current·1 all-time
by@blockcloud·duplicate of @raghuraam25/skilldevelop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, hook handlers, and scripts all implement a self-improvement / learning-capture workflow (logging to .learnings/, injecting bootstrap reminders, detecting command errors, extracting skills). That is coherent with the description. However, the registry metadata (slug/name: cpppselfimprovingagent123123, owner id, version) does not match the internal SKILL.md/project name (self-improvement / self-improving-agent) and the SKILL.md points to an external GitHub repo. This mismatch (packaged name vs internal identifiers/source) is unexpected and should be verified with the publisher.
!
Instruction Scope
The runtime instructions and included scripts will be executed as hooks if the user enables them. The error-detector script reads the CLAUDE_TOOL_OUTPUT environment variable (and matches many error patterns) and the hook handlers inject virtual bootstrap files into session context. The SKILL.md and docs instruct copying hooks into ~/.openclaw/hooks and enabling them (which causes the scripts to run automatically in sessions). The SKILL.md does not explicitly declare CLAUDE_TOOL_OUTPUT as a required env var, and the instructions give the agent discretion to promote learnings to workspace files — this broad scope (reading tool outputs, writing .learnings/, injecting bootstrap files) is normal for this type of skill but should be reviewed because it gives the skill the ability to observe tool outputs and create files in your user workspace when enabled.
Install Mechanism
There is no formal install spec in the registry; SKILL.md suggests manual git clone or 'clawdhub install' and includes helper scripts for hook activation and skill extraction. No remote binary downloads or archive extraction are used. Manual installation will pull code from GitHub (a normal pattern) — verify the referenced repo and its contents before cloning. The included shell scripts are executable and would run on the host if hooks are enabled.
!
Credentials
The skill declares no required env vars, but the error-detector script explicitly reads CLAUDE_TOOL_OUTPUT to detect failures. That environment variable is referenced in docs as well. Accessing tool output and session context is reasonable for an error-detection hook, but it's an environment access not declared in the skill metadata and can contain sensitive command output. There are no other credential requests, which is proportionate to the stated purpose.
Persistence & Privilege
always:false (good). The skill is user-invocable and can be enabled as hooks, which will run with the same permissions as the agent process and can persist if you add hook configuration to user-level settings (e.g., ~/.claude/settings.json). This is expected for hook-based functionality, but enabling hooks at user/global scope gives the skill ongoing execution capability and write access to your workspace (e.g., creating/updating .learnings/).
What to consider before installing
This package mostly does what it says (log learnings, inject reminders, detect command errors), but take these precautions before installing or enabling its hooks: - Verify provenance: the registry name/slug and the SKILL.md/internal names differ and the source is marked 'unknown'. Check the referenced GitHub repo and confirm the author/publisher before cloning or running scripts. - Inspect the scripts: review scripts/activator.sh, scripts/error-detector.sh, scripts/extract-skill.sh and hooks/openclaw/handler.{js,ts} locally to ensure you’re comfortable with what they do (they read tool output, push virtual bootstrap files, and can write new files). Do not run them blindly. - CLAUDE_TOOL_OUTPUT access: the error-detector reads CLAUDE_TOOL_OUTPUT (not declared in metadata). That variable may contain sensitive tool output; only enable the PostToolUse hook if you trust the skill and its environment. - Prefer local/sandbox testing: enable hooks in a test workspace or run the scripts manually in a sandbox first to observe behavior. Avoid enabling user-level/global hooks until you’re satisfied. - Check file write locations: the skill will create or update ~/.openclaw/workspace/.learnings/ (or .learnings/ in a project) if used. Ensure you are okay with those files being created and stored. - If you need higher assurance: contact the publisher or review the upstream repo commit history to confirm the code hasn't been tampered with. Given the origin/name mismatches and the undeclared environment access, proceed cautiously — the package is coherent in purpose but has enough inconsistencies to treat it as suspicious until you verify its source and contents.

Like a lobster shell, security has layers — review code before you run it.

latestvk977yee61jyjrzrxy79ewaraex823hbk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments