Back to skill
Skillv1.0.0
ClawScan security
Temp Test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 5:22 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared metadata is plausible for a
- Guidance
- This skill is an instruction-only 'persona core' that reads and writes files under your home (e.g. SOUL.md, USER.md, ~/self-improving/events.jsonl, ~/characters/, .tiered-recall/index.json) but the published metadata does not declare any required config paths or permissions. Consider the following before installing: - Ask the publisher which exact files and directories the skill will read and write, and whether paths can be restricted or changed to a sandboxed workspace. - If you value privacy, do not install unless the skill runs in an isolated environment (container or dedicated workspace) because it will store persistent memories that may include sensitive content. - Confirm how often the skill will run automatic heartbeats and whether those background actions can be disabled. - Back up any files that share names with the skill's expected filenames in your home (SOUL.md, MEMORY.md, self-improving/) or move them to a dedicated directory and update the skill's config (if possible). - If you need stronger assurances, request explicit manifest updates: declare required config paths, describe persistence behavior, and provide an opt-out for automatic per-session runs. Without those, the skill is coherent with its stated purpose but has unexplained filesystem privileges — treat it cautiously.
Review Dimensions
- Purpose & Capability
- noteThe declared purpose (a persistent 'Jarvis' persona with layered memory) aligns with instructions that read and write memory and personality files; however the skill's metadata declares no required config paths or storage access while the runtime instructions explicitly read/write multiple files under the user's home (e.g. ~/self-improving/events.jsonl, ~/characters/, .tiered-recall/index.json, SOUL.md, USER.md, MEMORY.md). That mismatch (no declared config paths but explicit filesystem I/O) is an incoherence.
- Instruction Scope
- concernSKILL.md tells the agent to automatically read many user/home files at session start and to append/write persistent logs (events.jsonl, characters/*/patterns.md, HOT/WARM/COLD memory files). It also promises automatic offline 'heartbeats' and wide loading (no hard limit) of role memories. This gives the skill broad discretion to access and persist arbitrary user data in home directories — beyond a simple reply-generation helper — and is not constrained or declared in the manifest.
- Install Mechanism
- okInstruction-only skill with no install spec or external downloads; no code files to execute. This is low install risk.
- Credentials
- noteThe skill requests no environment variables or explicit credentials (proportionate), but its instructions rely on filesystem access to potentially sensitive files in the user's home. Absence of declared config paths while instructing reads/writes to specific home paths reduces transparency about required privileges.
- Persistence & Privilege
- concernThe skill's instructions expect to run 'each new session automatically' and to persist memory and patterns to disk. While the registry flags do not set always:true, the skill semantics aim for persistent presence and autonomous behavior (heartbeats, periodic scans, writing logs). Persistent local storage and automatic per-session activation are significant privileges that should be explicitly disclosed and consented to; the manifest does not declare these requirements.