Skillv0.0.5

ClawScan security

i-am · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 4:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (personality analysis) matches many of its instructions, but it automatically reads extensive local conversation history, proposes creating scheduled cron tasks, and implies adaptive IM file-sending without clear limits or explicit user-consent steps — this combination is disproportionate and warrants caution.
Guidance: Before installing or enabling this skill, consider the following: - This skill reads your OpenClaw conversation session files (~/.openclaw/agents/main/sessions) and may load unbounded historical messages on first run — if you don't want your past conversations analyzed or included, do not install. - The skill proposes creating/modifying a cron-tasks.json entry to run automatically twice daily. If you prefer no background activity, choose the manual mode and verify cron entries before enabling them. - The description references 'IM-adaptive file sending' and the instructions parse message metadata; clarify exactly where generated/backup files (USER.md, ChangeLog.md) will be sent, to whom, and whether any data will leave your machine or be posted externally. If this is not explicit, assume it could be transmitted and avoid installing. - Ask the publisher for a minimal, auditable runtime flow: explicit consent prompts before first data access, a configurable message-history limit, a dry-run that shows extracted messages before analysis, and an opt-out for automatic scheduling. - If you still want the functionality: run in manual mode, inspect the created files and cron-tasks.json yourself, and consider running the skill in a restricted/testing account or environment first. My confidence is medium because the skill is internally coherent for its stated goal, but the combination of broad local data access, automatic scheduling, and implied adaptive sending is disproportionate without clearer consent and data-exfiltration controls. Additional information that would raise confidence toward 'benign': explicit, user-visible consent prompts; a clear, auditable description of any sending behavior (endpoints/recipients); and configurable limits on how much history is read on first run.

Review Dimensions

Purpose & Capability: noteReading past user messages and building a personality model aligns with a 'personality analysis' skill. However, the description also mentions 'IM-adaptive file sending' which is not justified or detailed in the SKILL.md excerpt. Creating changelogs, temp files, and backups in the skill workspace is consistent, but automated background scheduling and adaptive sending behavior expand the scope beyond simple analysis.
Instruction Scope: concernThe SKILL.md tells the agent to scan ~/.openclaw/agents/main/sessions for all user messages (initial run: unbounded historical data), apply regexes to extract content, and filter/verify senders. Those instructions give the agent broad discretion to access and parse potentially sensitive conversation logs and to automatically create and modify cron task configuration. The document does not show explicit, user-facing consent prompts for accessing stored conversations or for sending generated USER.md files via IM channels.
Install Mechanism: okThere is no install spec or external code download; this is instruction-only. That lowers supply-chain risk because no additional binaries or archives are fetched or written beyond files the skill itself creates under the user's home directory.
Credentials: concernNo environment variables or external credentials are requested, which is appropriate. However, the instructions access sensitive local data (conversation session logs) and configuration files under ~/.openclaw and propose creating/modifying cron task JSON. Accessing entire session histories and unbounded message sets is a high-sensitivity operation relative to a 'simple' personality analysis and is not scoped or limited in the document.
Persistence & Privilege: concernThe skill will create workspace files, ChangeLog.md backups, and (optionally, by default) add scheduled tasks to the user's cron-tasks.json to run twice daily. While 'always: false', the persistent cron scheduling gives the skill ongoing privilege to re-run analyses and re-read session data without a fresh explicit user action each time — this increases the blast radius if the behavior is undesired.