Skillv1.0.0

ClawScan security

SoulKeeper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 9:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (audit rules, score transcripts, inject reminders) but it embeds and surfaces references to local credential files and privileged tooling that are not declared or justified, which could cause an agent to read sensitive files or escalate access unexpectedly.
Guidance: This skill is coherent with its stated purpose, but it embeds hardcoded hints about local tools and credential file locations that are not declared. Before installing or running it: 1) review the full source (the shipped .py files) for any code that reads /root, /root/.config, or other config files; 2) do not run it as root — run in a sandboxed agent account with minimal filesystem access; 3) if you plan to use remind.py, remove or edit builtin reminders that mention credential paths or tooling you don't want the agent to access; 4) if you need to run audits against a workspace, point audit.py only at a copy of the workspace that has secrets removed; 5) ask the publisher for a homepage or source repository and for justification of the hardcoded paths. If you cannot verify those items, treat the skill as high-risk and avoid granting it access to sensitive files or credentials.

Review Dimensions

Purpose & Capability: noteName, description, SKILL.md, and the three scripts (audit.py, drift.py, remind.py) are coherent: they parse SOUL.md/TOOLS.md/AGENTS.md, generate rules, score transcripts, and produce reminders. However several built-in reminders and pattern lists reference specific tools and credential locations (e.g., /root/.config/kling-ai/credentials.json, Windows VPS browser automation, upload-post profiles) that go beyond the advertised scope and are not declared in the skill metadata.
Instruction Scope: concernSKILL.md instructs the agent to read workspace files (SOUL.md, TOOLS.md, AGENTS.md) which is expected, but the code's builtin reminders and violation patterns explicitly mention system paths and credential files and encourage use of platform tools. Those code-level reminders could cause the agent to read or surface sensitive config files outside the declared workspace scope even though the manifest and metadata do not request access to those paths.
Install Mechanism: okNo install spec, pure Python stdlib, no downloads or external packages. Risk from install mechanism is low — nothing will be fetched from external URLs or written to system locations by an installer step.
Credentials: concernThe skill declares no required environment variables or config paths, but the code contains hardcoded references to local credential paths and platform tooling (e.g., /root/.config/kling-ai/credentials.json, /root/.openclaw paths, mentions of logged-in Windows VPS/browser automation and upload-post profiles). That mismatch is disproportionate: the skill could lead an agent to access secrets or credentials that were neither requested nor explained.
Persistence & Privilege: notealways is false and the skill is user-invocable (normal). SKILL.md encourages adding reminders to HEARTBEAT.md or linking scripts into PATH, which would increase how often it runs, but this is a user action rather than a forced privilege. No evidence the skill modifies other skills or agent-level config autonomously.