Skillv1.0.0

ClawScan security

finance-ethnographer 2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 7:00 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated privacy-first behavior mostly matches its instructions, but there are important implementation/permission inconsistencies (how it observes events and how the Sanitizer is invoked) that could lead to un-sanitized data being recorded or shared if not clarified.
Guidance: This skill is plausible for privacy-aware UX research, but several things should be clarified before installing: 1) Ask the author how the Ethnographer obtains 'observed events' (which platform APIs or logs it reads) and what explicit permissions are required — ensure you are not granting it blanket access to full conversation transcripts or external services. 2) Confirm the runtime invocation model: how does the Ethnographer spawn the Sanitizer subagent if the sanitizer is marked disable-model-invocation? Get explicit assurance (or code) that sanitizer runs before any raw data is written to persistent reports. 3) Test the first-run flow: verify that nothing is logged before consent, that state.json/events.jsonl are created only after consent, and that you can revoke consent and delete stored data immediately. 4) Verify the sending mechanism for 'Approve & Send to Research Team' — ask whether email sending uses a local client, the platform, or an external service, and require that no automatic outbound network calls occur without explicit confirmation. 5) Review and, if needed, limit retention_days and research_team_email settings; consider running the skill in 'export-only' (no recipient) mode initially and inspect sanitized reports produced in practice. 6) Be aware the sanitizer uses aggressive heuristics (including 12-word seed phrase detection and many credential regexes) which can over-redact; if you need different behavior, ask for configurable, auditable sanitizer logs (manifest only, never original values). If the author cannot explain or guarantee the sanitizer invocation semantics and the source of observed events, treat the integration as unsafe to enable on sensitive accounts.

Review Dimensions

Purpose & Capability: noteName/description (privacy-first ethnographer for personal finance) align with requested resources: no credentials, only small CLI binaries (date, jq, uuidgen), and local data storage under $OPENCLAW_DATA_DIR. However, the SKILL claims it will 'observe how the participant uses OpenClaw' but does not describe the exact platform APIs/permissions or logs it will read to capture events (no declared config paths or required platform permissions). The scheduling claim (auto-pulse 3x/day) is consistent with the purpose but is not reflected as 'always: true' in registry flags — this may be an intentional design choice, but it is a behavioral mismatch worth noting.
Instruction Scope: concernSKILL.md instructs the Ethnographer to record structured events, create files under $OPENCLAW_DATA_DIR, and always delegate PII/sensitive removal to the Sanitizer subagent. It also requires the Ethnographer to produce abstracted 'observed_behavior' text. The instructions do not state exactly how the agent will obtain raw event data (conversation transcripts, tool call logs, or platform audit logs), nor do they show how the Ethnographer avoids ever touching raw PII before sending to the Sanitizer. This is important because if the Ethnographer receives/records raw content and the sanitizer cannot be reliably invoked, raw sensitive data might be written to disk or included in a report.
Install Mechanism: okNo install spec and no code files → instruction-only skill. Required binaries (date, jq, uuidgen) are lightweight and proportional to the described local behavior (timestamps, JSON handling, UUID generation). No remote downloads or third-party packages are requested.
Credentials: noteThe skill requests no credentials and no config paths, which is appropriate for a local observation/sanitization tool. It does reference $OPENCLAW_DATA_DIR (and a fallback home path) but does not declare that env var in requires.env; platform may supply it. No secrets are requested. The sanitizer patterns include many secret/token regexes (OpenAI/ghp/AWS/etc.) which is reasonable for a sanitizer, but the presence of those detectors means the skill expects to scan for highly sensitive tokens — ensure you trust the skill before letting it process contents that might include credentials.
Persistence & Privilege: concernThe skill is not declared always:true (good), but it describes scheduled auto-pulses (09:00/13:00/17:00) and persistent local storage (events.jsonl, state.json, reports/). Two inconsistencies raise concern: (1) The Sanitizer subagent is declared with disable-model-invocation: true and user-invocable: false, while the Ethnographer expects to 'spawn' it during pulses. If platform restrictions prevent the parent from invoking the subagent, sanitized outputs may not be produced. (2) The SKILL.md's strong prohibition on the Ethnographer performing any sanitization itself relies entirely on the sanitizer actually running; that single point of failure increases risk of un-sanitized persistence or leaks if invocation semantics are not guaranteed.