v1.0.2

Skill Oracle

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 3:38 PM.

Analysis

Review before installing: it is advertised as a markdown-only catalog, but it ships an unadvertised persistent knowledge-base CLI and includes install recommendations for other skills.

GuidanceInstall only if you are comfortable with the package containing more than static documentation. Do not run the bundled brain-cli.py or any listed clawhub install command unless you intentionally approve it, and review any recommended skill separately before granting credentials or installing it.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

scripts/brain-cli.py

curated-brain — Structured agent knowledge base CLI. Manages a catalog of facts with provenance and confidence.

The package is described as documentation-only, but it contains a runnable helper script for a different knowledge-base tool. That mismatch is an unexpected hidden-helper/provenance concern even though no automatic execution is shown.

User impactA user may install this believing it contains only markdown/JSON guidance, while the package also carries executable code that an agent or user could invoke.

RecommendationTreat the package as containing code, not just documentation. The publisher should either remove the script or clearly document its purpose, entry points, and safety boundaries.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

catalog.json

"install_cmd": "clawhub install certainlogic.skill-vetter-plus"

The catalog includes install commands for other skills. These appear to be reference recommendations, not automatic execution instructions, but installing skills can change the agent environment.

User impactAn agent may suggest installing additional skills based on this catalog, which could expand permissions or behavior in later tasks.

RecommendationRequire explicit user approval before running any listed install command and review the security posture of each recommended skill separately.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

README.md

All tools are CertainLogic Approved (safety verified).

The skill presents curated recommendations and safety-verification language, including self-certified products and paid offerings. The artifacts do disclose bias and limitations, so this is a trust-transparency note rather than a deception finding.

User impactUsers may over-trust recommendations or safety claims if they treat them as independent certification.

RecommendationTreat the catalog as the publisher's curated opinion and verify important safety claims independently before installing recommended tools.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

catalog.json

"OAuth setup required", "Notion account + API key"

Credential-related language appears in the catalog as prerequisites for other recommended tools, while this skill's own requirements declare no primary credential or environment variables.

User impactSkill Oracle itself does not show credential use, but recommended downstream skills may require OAuth or API keys.

RecommendationDo not provide credentials to Skill Oracle. Only grant OAuth/API-key access after separately reviewing the specific skill that needs it.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/brain-cli.py

base = Path.home() / ".openclaw" / "skills" / "curated-brain"; return base / "default-catalog.json"

The script defines a persistent default catalog location under the user's home directory and supports adding/searching facts, but the main skill says it is not a programmable knowledge base.

User impactIf used, agent- or user-provided facts and sources could be stored persistently and reused later without the clear retention and trust boundaries users would expect from the advertised docs-only skill.

RecommendationDo not use the bundled CLI for personal or business facts unless you intentionally choose the catalog path and retention policy. The skill should disclose this persistence or omit the script.