Skillv1.0.0

ClawScan security

Phoenix Loop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 7:17 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, file accesses, and persistence match its described purpose of diagnosing failures and creating local recovery skills; no external exfiltration or unrelated credentials are requested, but there are minor inconsistencies and operational risks you should understand before installing.
Guidance: This skill appears to do what it claims and keeps data local, but review these before installing: 1) Platform compatibility — the SKILL.md uses PowerShell commands; ensure your agent runtime supports PowerShell or adapt the commands. 2) Review and approve generated files — the skill will create/update files in skills/local/ that the agent can later run; you should inspect new recovery skills before trusting them for autonomous fixes. 3) Privacy filtering is regex-based and imperfect — run the provided privacy-checklist and consider stronger secret-detection if you have high-sensitivity data. 4) Filename/verification inconsistencies — the skill has a small mismatch in example filenames; test the workflow in a sandbox copy of your repository. 5) Back up skills/local/ and memory/ before first run, and consider restricting autonomous invocation or enabling a manual approval step for new skills until you are comfortable with the loop's behavior.

Review Dimensions

Purpose & Capability: okName and description (auto-diagnose failures, extract patterns, create local skills) align with the actions the skill asks the agent to take: read local memory files, extract patterns, and write skill files to skills/local/. No unrelated credentials, binaries, or network endpoints are requested.
Instruction Scope: noteInstructions operate only on local paths (memory/, skills/local/, HEARTBEAT.md) and include explicit privacy checks. Minor issues: the runtime uses PowerShell commands (Get-Content, Select-String, Test-Path, Rename-Item) but the skill has no OS restriction — this could break on systems without PowerShell or lead to different behavior on Unix. There is a filename inconsistency in completion checks (examples use both skills/local/{name}-recovery.md and skills/local/{name}.md). The sensitive-data filter relies on simple pattern matching which could miss secrets encoded differently; the doc does not require aborting when secrets are found, only removing/matching.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer; all actions are local file reads/writes performed by the agent at runtime.
Credentials: okThe skill requests no environment variables, credentials, or external tokens. It references the OPENCLAW_ prefix in its sensitive-data filter (to avoid recording platform tokens) but does not require or attempt to read such environment variables; this is proportionate to its stated privacy goal.
Persistence & Privilege: noteThe skill creates and updates files under skills/local/, which persist and can change the agent's future behavior (new recovery skills can be auto-invoked later). always:false (not force-included) mitigates some risk, but persistent creations mean you should review any generated local skill before allowing autonomous re-use. The skill's ability to write persistent executable artifacts is expected for its purpose but raises a usable-security consideration.