Self Reflection
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: agent-self-reflection Version: 1.0.0 The skill is designed for agent self-reflection and improvement, reading limited session logs and writing insights to internal agent documentation files. However, the `SKILL.md` explicitly instructs the agent to write 'Improvements to specific skill instructions' or 'Bug fixes in skill workflows' to its own `skills/<skill-name>/SKILL.md` file. This self-modification capability, while intended for benign self-improvement, represents a significant vulnerability. If the agent's reflection process were compromised (e.g., via a sophisticated prompt injection in a session log), this capability could be exploited to rewrite the agent's instructions to perform malicious actions. No direct evidence of malicious intent, data exfiltration, or persistence mechanisms was found in the provided files, and the `scripts/summarize-sessions.sh` script uses safe practices like `tail -n` and `subprocess.run` to mitigate shell injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive conversation content may be summarized into long-lived memory or instruction files, and a bad or manipulated session could influence future agent behavior.
The skill reads prior session transcripts and persists derived lessons into memory and instruction files, so private or adversarial transcript content could be converted into future context.
read the JSONL transcript ... tail -50 ~/.openclaw/agents/main/sessions/<sessionId>.jsonl ... Route them: AGENTS.md ... memory/about-user.md ... skills/<skill-name>/SKILL.md
Use only if you want session history to become persistent memory. Add explicit review before writing, avoid copying user instructions verbatim, and keep a clear audit trail or backup of changed files.
The agent could change files that steer future behavior, and those changes may be hard to notice if the skill runs periodically.
The skill authorizes direct file mutation, including agent and skill instruction files, without requiring a user-visible diff or confirmation before applying changes.
For each insight, append or edit the appropriate file. Use the `Edit` tool for surgical changes ... Use append ... for daily memory files.
Require a dry-run summary and user approval before edits, restrict writable paths, and prefer appending reviewed notes over modifying core instruction files automatically.
If scheduled, it may repeatedly inspect recent sessions and write memory/instruction updates without a user initiating each run.
The skill discloses periodic autonomous operation, but the provided artifacts do not include an install spec that creates a cron job.
Designed to run as a cron job. ... Runs hourly via cron.
Install cron scheduling only intentionally, document how to disable it, and consider making each run produce a proposed diff instead of applying changes automatically.
The skill may fail or behave differently depending on the local environment, and users may not realize these runtime dependencies are needed.
The helper script relies on bash, openclaw, python3, and tail, while the registry metadata declares no required binaries and no install spec.
#!/usr/bin/env bash ... sessions_json=$(openclaw sessions --active "$ACTIVE_MINUTES" --json 2>/dev/null) ... echo "$sessions_json" | python3 -c
Declare required binaries and document exactly how the helper script is intended to be invoked.