Skillv0.1.3

ClawScan security

ClawGraph · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 6, 2026, 8:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared requirements (clawgraph binary + OPENAI_API_KEY) match a memory/knowledge-graph purpose, but the runtime instructions proactively store user facts (including potentially sensitive information) without clear consent or redaction rules and the install uses an unfamiliar package installer; these design choices are coherent but raise privacy and supply-chain concerns.
Guidance: This skill is coherent with a memory/knowledge-graph tool, but it instructs the agent to automatically persist user-provided facts. Before installing: (1) Review the upstream package source (the GitHub homepage) and verify the package comes from a trusted registry and author; (2) Confirm what 'uv' installer is and whether the package will run arbitrary code on your machine; (3) Understand and audit ~/.clawgraph/data and ~/.clawgraph/config.yaml (where data is persisted and how it is protected); (4) Decide and enforce policies to avoid storing secrets or sensitive PII (explicit user consent, redaction rules, and retention/deletion policies); (5) Consider using a test account / sandbox and a rotated OPENAI_API_KEY when evaluating; (6) If you require stronger privacy, request or implement encryption-at-rest and explicit confirm-before-write behavior in the tool or agent instructions.

Review Dimensions

Purpose & Capability: okName and description describe a persistent memory/knowledge-graph. The required binary (clawgraph) and single env var (OPENAI_API_KEY) are consistent with a tool that uses an LLM-backed extractor and a local CLI. The skill does not request unrelated credentials or surprising binaries.
Instruction Scope: concernSKILL.md instructs the agent to proactively store 'durable' user facts even without an explicit 'remember' command and to 'preserve the user's phrasing'. There are no guardrails about excluding secrets/sensitive PII, requiring explicit user consent, or retention/erasure policies. This means the agent may persist passwords, tokens, medical or financial details, or other sensitive data unless callers add protections.
Install Mechanism: noteInstall spec uses an installer kind labeled 'uv' and package 'clawgraph==0.1.3', producing a clawgraph binary. No direct URL is provided. Writing an unpacked binary to disk is expected for a CLI tool, but 'uv' is an uncommon installer label in public registries—verify the package source/registry and integrity before installing.
Credentials: okOnly OPENAI_API_KEY is required and is declared as the primary credential, which aligns with the SKILL.md statement that ClawGraph uses OpenAI-compatible models. No unrelated credentials or broad environment access are requested.
Persistence & Privilege: noteThe tool stores data persistently at ~/.clawgraph/data and uses a user config at ~/.clawgraph/config.yaml. always:false (not forced) and autonomous invocation is allowed (platform default). Persistent local storage is expected for a memory skill, but combined with the instruction to auto-store facts, it increases privacy risk; there is no mention of encryption, access controls, or retention.