Skillv3.0.0

ClawScan security

Self Learning · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 6:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation is coherent with a self‑improvement assistant, but it implicitly instructs searching for credentials and local repo paths without declaring or justifying that access — this mismatch is suspicious and worth review before installing.
Guidance: This skill is primarily documentation that teaches a 'learn from errors' workflow, and that is plausible. However the docs repeatedly recommend searching for and validating credentials in multiple locations and show absolute local repo paths and git push commands while declaring no required credentials. Before installing or enabling: 1) Inspect the skill text for any explicit commands your agent would run that read files or env vars (token searches, git push, clawhub/gh calls). 2) Don't provide any secrets or system credentials to the skill; prefer skills that explicitly declare required env vars and explain why. 3) If you want to try it, run it in a restricted/sandboxed agent or non‑privileged account and monitor file access and outbound network calls. 4) Ask the author to clarify exactly what autoprocessing the skill will perform (which paths it will read/write and whether it will attempt to push to remote repos) and to declare any required credentials in metadata.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (self‑learning, post‑task review, knowledge transfer) justifies reading its own docs and logs (ERROR_LOG.md, EXAMPLES.md, EXECUTE.md). However the materials repeatedly describe credential handling and 'multi-location token search' (e.g. ~/.github-token, ~/.openclaw/, env) and include explicit local repo paths (C:\Windows\system32\UsersAdministrator.openclawworkspace\SELF_LEARNING_SKILL_V3). Those capabilities (scanning home dirs, environment, pushing to GitHub) go beyond merely reading its own knowledge files and are not declared in the skill's requirements, so purpose vs requested capability is inconsistent.
Instruction Scope: concernSKILL.md and companion docs describe workflows that imply reading local files, searching multiple locations for tokens, invoking git/ClawHub/gh operations, and referencing absolute local paths. While no direct shell scripts are embedded, the prose instructs actions (publishing, token validation, multi‑location credential search, scheduled daily/weekly tasks) that would require reading environment variables and filesystem locations outside the skill's own files. The instructions give broad discretion (e.g. '多位置搜索凭证', '发布前验证 token', 'git push path') without restricting scope or declaring needed credentials.
Install Mechanism: okNo install spec or remote downloads are present and the skill is instruction‑only, which minimizes supply‑chain risk. Nothing in the metadata indicates it will write or execute additional code on install.
Credentials: concernThe registry metadata declares no required environment variables or credentials, but the documentation explicitly references environment and credential locations (~/.github-token, ~/.openclaw/, env, GitHub/SSH keys) and git push commands to an admin workspace path. That mismatch (requesting/using secrets in prose but not declaring them) is disproportionate and could lead to undesired access to tokens or other secrets if the agent follows the instructions.
Persistence & Privilege: okalways is false (no forced global presence). The skill can be invoked autonomously (platform default), which is normal. There is no indication it modifies other skills or requests permanent elevated privileges.