Skillv1.2.2

ClawScan security

Dr. Frankenstein · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 8:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (reading/writing agent files and generating persistent cron-driven prompts that cause the agent to proactively reach out and act) is coherent with its stated goal but lacks safeguards and could enable unwanted data access, unsolicited outbound actions, or persistent automation without explicit limits.
Guidance: This skill is conceptually coherent (it personalizes agents by reading agent files and scheduling recurring prompts), but it grants the agent the ability to read and write workspace files and to create persistent cron-driven behaviors without built-in safety checks. Before installing: - Review all template prompts (templates/cron-prompts.md) and interview questions to remove or restrict any instructions that might cause the agent to reveal sensitive information or contact external parties without consent. - Ensure SOUL.md, USER.md, MEMORY.md and memory/ do not contain secrets, API keys, passwords, or private data you don't want the agent to reuse or send. - Determine how the generated 'cron jobs' will be scheduled (OpenClaw scheduler vs. system crontab) and require manual approval before any persistent tasks are created. - Test the skill in a sandbox or on a non-production agent to observe outbound behaviors and logs. - Add explicit guardrails (e.g., 'never share secrets', 'confirm before messaging human', whitelist allowed channels) if you decide to use it. If you can provide details about how your agent runs scheduled jobs (sandboxed scheduler vs system crontab) or the sensitivity of the agent's memory files, I can raise or lower the concern level and offer concrete mitigation edits to the prompts and SKILL.md.

Review Dimensions

Purpose & Capability: noteThe name/description claim to add emotional, scheduled 'hormone' behavior to an agent; the SKILL.md consistently implements this by instructing an interview, generating a hormone profile, and producing cron-job prompts. Asking the agent to read SOUL.md, USER.md, MEMORY.md and a memory/ directory and to write memory/journal and dream files is coherent with personalization. No unrelated credentials, binaries, or installs are requested — the required surface is proportionate to the stated purpose.
Instruction Scope: concernRuntime instructions explicitly tell the agent to 'silently read' internal files (SOUL.md, USER.md, MEMORY.md, memory/) and to write logs and cron prompts into the agent workspace. The cron templates encourage the agent to 'reach out', 'surprise the human', 'share knowledge', and 'act on' findings, but do not specify safe channels, consent checks, or rules to prevent disclosure of sensitive data. The scope therefore includes reading potentially sensitive files and initiating outbound/contacting behaviors with no built-in guardrails.
Install Mechanism: okInstruction-only skill with no install spec, no downloads, and no code files — lowest install risk. The README suggests copying the directory into the workspace, which is a manual action; nothing will be written by an automated installer.
Credentials: okThe skill requests no environment variables, credentials, or system config paths in registry metadata. That matches the instruction-only nature. However, the skill still instructs reading/writing agent-local files (which may contain secrets) — the absence of declared credential access is accurate but does not eliminate risk from file I/O.
Persistence & Privilege: concernThe core functionality is to generate cron jobs (persistent scheduled behavior). While the skill itself is not marked 'always:true', the generated crons create durable, autonomous activity in the agent environment. There are no explicit constraints or review steps in the SKILL.md before scheduling actions, increasing the blast radius of any undesired behavior (frequent outbound communication, automated actions, or repeated reads/writes).