Back to skill
Skillv1.0.1
ClawScan security
KPI for clawbot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 2:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's declared purpose (KPI management) matches its instructions and requirements; it is an instruction-only skill that persistently writes KPI data to the agent workspace file but requests no credentials or installs.
- Guidance
- This skill is coherent and appears to do what it says: it will read and update a persistent KPI file at ~/.openclaw/workspace/memory/kpi.md to track goals, tasks, and periodic reviews. Before enabling, confirm you are comfortable storing KPI content in that location (back it up if needed) and that the workspace file does not contain other sensitive information. The skill requests no credentials or external installs. If you want stricter control, consider restricting write permissions to the workspace or reviewing the memory file periodically; also note the small path wording inconsistency (relative vs. absolute) and confirm the exact file location in your environment.
Review Dimensions
- Purpose & Capability
- okName/description describe KPI management and the SKILL.md contains detailed rules for creating, tracking, and reviewing KPIs and tasks. There are no unexpected env vars, binaries, or external services requested — the requested capabilities align with the stated purpose.
- Instruction Scope
- noteInstructions explicitly require reading and writing a local memory file (~/.openclaw/workspace/memory/kpi.md) and define structured persistence and update rules. This is within scope for a KPI assistant, but be aware the skill will persistently modify a workspace file and will update it when the user mentions KPI-related items. Minor inconsistency: top-level description refers to memory/kpi.md (relative) while the doc uses the absolute ~/.openclaw/workspace/memory/kpi.md path.
- Install Mechanism
- okNo install spec and no code files — instruction-only. Nothing is downloaded or written to disk by an installer beyond the normal memory file updates defined in the instructions.
- Credentials
- okThe skill requires no environment variables, credentials, or external config paths. It also explicitly states not to record sensitive info (passwords, keys). The requested access (local workspace file) is proportional to its purpose.
- Persistence & Privilege
- noteThe skill persists KPI data to the agent workspace (memory file) and will read/modify that file as part of normal operation. It is not marked always:true and requests no elevated privileges — this persistent write access is expected for a memory-based KPI assistant but is the primary consequence users should understand.