Back to skill
Skillv3.2.0
ClawScan security
Skill Engineer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 5:03 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions mostly match its stated role as a skill-engineering orchestrator, but it directs agents to read local OpenClaw files/session memory and to regenerate/commit/push README artifacts — behaviors that are plausible but expand the skill's reach and warrant caution.
- Guidance
- This skill mostly does what it says, but it asks agents to: (1) query your vector memory (session history/notes), (2) read OpenClaw config and skill files in your home/workspace, and (3) regenerate README and push changes to GitHub. Before installing or enabling autonomous use: - Review and run the included scripts locally yourself (check-completeness.sh, validate-scorecard.sh, validate-trigger.sh, quality-score.py) to see what they do and to confirm there are no unexpected network calls. - Restrict or disable autonomous push-to-GitHub behavior: require manual approval for any git commits/pushes or run the README-sync step locally. - Be deliberate about enabling vector memory access (memory_search) because it exposes session history/notes; if that data is sensitive, keep memory.enabled disabled or limit the skill's permissions. - Ensure the dependent deepwiki skill is from a trusted source before using it. If you want higher assurance, run the skill in a sandboxed repo/environment first and require human approval before giving it repository write/push rights or access to session memory.
Review Dimensions
- Purpose & Capability
- okThe name/description (design, review, test skills) align with the included materials: detailed SKILL.md, reviewer/tester/designer guides, and deterministic validation scripts. The declared non-code registry metadata (no env vars/binaries) matches the instruction-only install model; mandatory dependencies listed in SKILL.md (deepwiki skill, vector memory DB) are coherent for an orchestrator that needs current API behavior and session history.
- Instruction Scope
- concernSKILL.md instructs querying the agent's vector memory (memory_search), inspecting local OpenClaw files/paths (e.g., ~/.openclaw/skills/deepwiki/ and openclaw.json) and contains a README sync / push-to-GitHub step. Those actions reach beyond the skill's own files and ask for access to session history, local config and repository operations. While plausible for a skill-engineer, they are significant side-effects and broaden the trust surface.
- Install Mechanism
- okNo install spec or remote downloads; this is instruction-only with packaged reference docs and local validation scripts. That's low-install risk — nothing is fetched from external URLs or extracted. The provided scripts are local deterministic tools (bash/python) that operate on repository files.
- Credentials
- noteRegistry metadata requests no environment variables or credentials. However, SKILL.md requires the vector memory feature and the deepwiki skill and tells the agent to inspect openclaw.json and user skill directories. This does not request new secrets, but it implies access to potentially sensitive session history and local configuration; that access is plausible for the role but should be intentionally granted and audited.
- Persistence & Privilege
- concernalways:false and normal autonomous invocation are set (not elevated). But the workflow explicitly includes a README sync that regenerates README from the implementation and a 'Push to GitHub' step. That implies write/commit and remote push privileges over repositories. The package itself doesn't include automated push code, but the documented workflow expects the orchestrator to perform repo-side changes — a capability that increases impact and should require explicit authorization and careful scoping.