Skillv1.0.0

ClawScan security

SELF LEARNING SKILL V2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 5:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with its stated self-learning purpose, but its runtime instructions encourage autonomous behavior and explicitly reference searching for authentication tokens and performing GitHub/ClawHub operations — actions that go beyond what's declared and could access credentials or files without explicit permission.
Guidance: This skill is mostly documentation and templates for 'self-learning' behavior and is internally consistent, but it contains instructions that encourage the agent to search for authentication tokens, run GitHub/ClawHub auth flows, and perform autonomous daily/weekly tasks. Before installing: 1) Decide whether you are comfortable giving any agent the ability to search for tokens or credentials on your system — the skill suggests doing that even though it doesn't declare required env vars. 2) If you install, restrict the agent's runtime permissions or run it in a sandbox where it cannot access your home directory/credential stores. 3) Consider editing SKILL.md/EXECUTE.md to remove or require explicit user confirmation before any token-search or auth actions (e.g., require the user to provide a specific env var or confirm each GitHub/ClawHub operation). 4) Monitor logs/agent actions and avoid installing on accounts/machines that hold sensitive credentials. If you want a lower-risk alternative, keep this as a static template (read-only) and do token management manually.

Review Dimensions

Purpose & Capability: okName/description (self-learning, error tracking, retrospectives) match the included files (SKILL.md, README, EXECUTE.md, ERROR_LOG.md). It does not request unrelated services or install components; functionality described is plausible for a self-learning assistant.
Instruction Scope: concernSKILL.md and ERROR_LOG.md describe procedures that imply searching for tokens ("多位置搜索 token 文件"), using GitHub CLI/auth, and automated scheduled actions (daily/weekly tasks). Although no explicit shell commands to exfiltrate data are present, the prose gives the agent broad discretion to inspect credentials and run auth flows — scope creep beyond a passive documentation/housekeeping skill.
Install Mechanism: okNo install spec or code is present (instruction-only). This minimizes direct filesystem writes or downloads. README suggests cloning from GitHub, but that's user-initiated and not enforced by the skill.
Credentials: concernThe skill declares no required env vars or credentials, but the instructions reference finding/validating tokens and using GitHub/ClawHub authentication. That implies access to credentials or token files that are not declared or limited, which is disproportionate without explicit user consent or constraints.
Persistence & Privilege: notealways:false (good). The platform default allows autonomous invocation (disable-model-invocation:false). The skill's text promotes autonomous, scheduled behavior (daily/weekly automated checks). Autonomous invocation combined with the token-search guidance increases risk — but autonomy alone is normal for skills.