Skillv4.0.1

ClawScan security

Self Improvement Cyber Bye · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 12:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill behaves as advertised (auto-capturing errors and running nightly self-fixes) but it aggressively auto-saves conversational facts (including sensitive categories like relationships, finance, health) into workspace files and creates persistent cron entries — this raises privacy/persistence and escalation concerns that the user should review before installing.
Guidance: This skill is coherent with its stated purpose but is aggressive about auto-capturing and persistently storing conversation data. Before installing, consider: - Privacy: it will auto-save user corrections, health/finance/relationship notes, and session context into workspace files. If those responses may include PII, secrets, or sensitive details, the skill will store them. Decide whether that is acceptable. - Escalation: critical or unfixable items are escalated to the workspace owner and can trigger morning-report crons — sensitive contents may be exposed to other humans. Confirm who the 'owner' is and whether they should receive these reports. - Retention & deletion: the skill expects persistent files and even marks the nightly cron as permanent. If you install, add or request explicit retention and purge policies (how long errors/improvements are kept, how to remove or redact entries). - Opt-in/opt-out controls: if you want limited capture, modify the SKILL.md (or its hooks) to disable Auto-Extract triggers you don't want (e.g., Bond/Finance/Health) or to require explicit confirmation before writing entries. - Test in a sandbox: run the skill in an isolated workspace first to inspect what it writes, verify crons it creates, and ensure no sensitive data is recorded. - Audit & permissions: ensure the agent's workspace and repository access are restricted appropriately and that any escalation recipients are trusted. If you want, I can: (a) produce a minimal-safe variant of the SKILL.md that disables auto-extract and limits capture to explicit user corrections, or (b) list exact edits to the provided files to reduce scope (disable permanent cron, remove Bond/Finance triggers, add redaction filters, add retention policy).

Review Dimensions

Purpose & Capability: noteThe name/description align with the instructions: the SKILL.md and accompanying files are a full implementation of an error-capture + nightly-review memory system. The lack of required binaries/credentials is coherent because this is instruction-only and operates on repository files. Note: the declared purpose explicitly includes sensitive categories (Bond, Finance, Health/Energy), which is consistent with the content but has privacy implications.
Instruction Scope: concernRuntime instructions mandate automatic mid-session 'auto-extract' of facts, immediate writes to errors/raw/ before finishing responses, and merging/compression rules. The skill requires the agent to read and write many workspace files (memory/index.json, errors/*, fixes/*, soul, crons/*) and to run a nightly review hook. The instructions give the agent broad discretion to capture user corrections, personal facts, and session context without explicit consent, and to escalate items to the workspace owner. This scope goes beyond a simple 'error logger' into persistent personal data collection and autonomous scheduling.
Install Mechanism: okNo install spec and no code files to execute are present; the skill is instruction-only, so nothing new is downloaded or installed. This is lower risk from a supply-chain/execution perspective.
Credentials: concernThe skill requests no external credentials, which is appropriate, but it stores and indexes potentially sensitive personal data (Bond/Finance/Health entries, full error contexts, user corrections) into persistent workspace files and creates cron entries. That effectively grants it persistent access to session content and the ability to surface that content to the workspace owner. The declared required env/configs are minimal, but the implied requirement — write/read access to the agent's workspace and session context — is broad and may be disproportionate for some users.
Persistence & Privilege: concernalways:false, but the skill defines a permanent nightly cron (nightly-review) that 'MUST NEVER BE DELETED' and has rules to auto-create temp crons and escalate issues. Combined with autonomous invocation (platform default), this gives the skill recurring, unattended capability to scan stored errors and produce escalation reports. Persistent memory files (soul, memory/index.json, errors/, fixes/, patterns/) will accumulate personal information unless the user configures retention/purging, so the persistence model and cron behavior increase the blast radius.