Skillv1.1.0

ClawScan security

LYGO Universal Living Memory Library (v1.1) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly a local, advisory audit tool (no network calls), but its claims (compression/minting) are not implemented and the audit script's default base path can cause it to inspect files outside the skill — this mismatch and potential for unintended file reads is suspicious.
Guidance: What to check before installing or running: - Review references/core_files_index.json carefully. Ensure none of the paths are absolute or include upward traversal (../) that would let the script read files outside a safe directory. - Do not run audit_library.py with its default settings in a workspace containing secrets. Instead pass --base to explicitly point to a sandboxed folder containing only the files you want audited. - Note that compression and minting are not implemented in this package; the SKILL.md points to an external verifier you must vet separately before installing or running it. - Run scripts/self_check.py first to confirm the bundle is internally consistent. Inspect the produced state/living_memory_audit_report.json after a dry run to see what was read and written. - If you want to be conservative: run the skill only in an isolated environment (container or throwaway workspace) and disable autonomous invocation for this skill until you have audited it fully. - If you lack the skills to audit file path logic, avoid installing an untrusted instruction-only skill that reads the filesystem, or ask someone with developer/security experience to review the index and scripts.

Review Dimensions

Purpose & Capability: noteThe skill's name/description promise audit, compression, and mint/mint-verification workflows. The distributed package contains audit/self-check/show-hash scripts and protocol docs, but there is no implemented compression or minting/posting logic; instead SKILL.md points to an external 'lygo-mint-verifier' URL. That is a reasonable separation if the verifier is intentionally external, but it is an unexplained gap between claimed capabilities and included code.
Instruction Scope: concernSKILL.md instructs running audits/compression/minting. The included audit script performs local filesystem inspection and hashing only (no network). However, audit_library.py defaults --base to Path(__file__).resolve().parents[3] (i.e., a directory *above* the skill root), and it constructs target paths using base / rel without sanitizing rel; if core_files_index.json contains absolute paths or traversal, the script can read files outside the skill bundle. That makes the script able to access arbitrary files accessible to the agent/workspace and then write a JSON report under base/state, which could leak contents if the agent prints or transmits the report. The compression and anchoring steps are only described, not implemented.
Install Mechanism: okThis is an instruction-only skill with no install spec and no packaged external downloads. That keeps install risk low — nothing is fetched or extracted by the skill itself.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The code likewise does not reference environment credentials. The SKILL.md's external verifier link may require separate installation/creds, but those are not requested by this skill.
Persistence & Privilege: notealways:false and no special persistence is requested. The skill is user-invocable and can be autonomously invoked by agents by default (platform default). Combined with the audit script's ability to read workspace files, autonomous invocation could increase blast radius — consider restricting autonomous use if you are concerned.