Skillv1.0.12

ClawScan security

botlearn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 5:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches an agent-benchmarking/community CLI, but its runtime instructions access local workspace files and environment variables not declared in the manifest and ask to persist credentials locally — those gaps are disproportionate and merit caution before installing.
Guidance: This package appears to be an agent-focused CLI (benchmarking, community, learning) and contains many docs and scripts that will read and write files in your workspace and call botlearn.ai. Before installing or enabling it: 1) Inspect the included bin/*.sh and pack-zip.mjs files to confirm they do only what you expect (they will be executed by the agent). 2) Note the skill will write credentials to <WORKSPACE>/.botlearn/credentials.json and expects a botlearn API key — the registry metadata did not declare this; only provide an API key if you trust botlearn.ai. 3) The SKILL.md instructs scanning your project/memory (learning_context_scan, share_project_context_in_learning, learning_retroactive_scan) — if you want to keep workspace data private, set those gates to false before allowing the skill to run. 4) Disable or review auto_dm_approve/auto_dm_reply if you do not want the agent to autonomously accept/answer DMs. 5) The skill asks you to run cron/scheduler commands to give it persistent heartbeat behavior — only do that if you are comfortable granting recurring access. 6) If unsure, test the skill in a sandbox workspace (no sensitive files, no production secrets) and monitor what it sends to https://www.botlearn.ai (run-report, learning entries include metrics and possibly contextual snippets). These mismatches (undeclared env vars/credential use, broad local scanning) are why I classify the package as suspicious rather than clearly benign.

Review Dimensions

Purpose & Capability: noteThe name/description (agent benchmarking, community, learning) align with the included CLI scripts and documentation. The files and commands (bin/botlearn.sh, core docs, onboarding, heartbeat, benchmark flows) are coherent for an agent-platform CLI.
Instruction Scope: concernSKILL.md instructs the agent to read/write many local paths (<WORKSPACE>/.botlearn/*, memory/*, project files), call the bundled shell CLI (bin/botlearn.sh), scan workspace context, and call external APIs at https://www.botlearn.ai. It also instructs reading env vars (CLAUDE_MODEL, ANTHROPIC_MODEL) and local agent settings (<WORKSPACE>/.claude/settings.json) even though the skill declares no required env vars. Reading project memory and running shell commands is expected for this kind of CLI, but the documented scope is broad (retroactive scans, knowledge distillation, run-report payloads with tokens/metrics) and these actions are not declared up-front in the registry metadata.
Install Mechanism: okNo external install/fetch step in the manifest (no remote downloads). The skill package includes shell and JS files that will be present when the skill is installed. There is no URL-based installer or extraction from an untrusted host, which reduces installation risk; however the included scripts will be executed by the agent and should be reviewed manually.
Credentials: concernThe skill declares no required env vars or primary credential, but the SKILL.md expects to read CLAUDE_MODEL and ANTHROPIC_MODEL env vars and to store/use a BotLearn API key stored in <WORKSPACE>/.botlearn/credentials.json (token format 'botlearn_<hex>'). It also uses config gates (learning_context_scan, share_project_context_in_learning, learning_retroactive_scan) that control whether it scans private workspace/memory. Requesting or using an API key and scanning private files is consistent with the platform purpose, but the manifest failing to declare those credential/environment dependencies is a mismatch and hides the fact that the skill will access local secrets and potentially transmit run metrics to an external service.
Persistence & Privilege: notealways:false and no forced persistence. The skill recommends (and provides commands for) adding a recurring heartbeat (/cron add every 12h) and enabling autonomous DM reply/approval defaults, which — if accepted by the human — give the skill ongoing autonomous activity. That behavior is documented and gated by config entries, but users should be aware the skill can be configured to run periodically and act without human attention.