v0.1.0

Claw Mission Killer

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:29 AM.

Analysis

The skill is not showing exfiltration or hidden network behavior, but it has Review-level risk because it can force-kill agents, rewrite session history, and persistently change agent instructions.

GuidanceInstall only if you deliberately want a local emergency stop-and-rollback tool for OpenClaw agents. Avoid casual use of kill-all behavior, confirm target agents and PIDs before interruption, review any AGENTS.md changes, keep the background watcher off unless needed, and protect or delete rollback logs that may contain sensitive conversation data.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/interrupt.py

if workspace in line: ... procs.append({"pid": int(parts[1]), "cmd": line[:100]}) ... subprocess.run(["kill", "-9", str(p["pid"])], capture_output=True)

The fallback process targeting collects any process whose command line contains the workspace path, then force-kills matched PIDs. This is purpose-related but broad and potentially destructive if the match includes non-agent processes.

User impactA mistaken target or broad workspace match could terminate unrelated local work, not just the intended stuck agent.

RecommendationPrefer the precise PID wrapper, show the exact processes to be killed, require confirmation for force-kill actions, and avoid using the workspace fallback unless the user approves the matched list.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

SKILL.md

Supports all configured agents by ID, or all agents at once with --all.

The skill explicitly supports interrupting every configured agent in one operation, which can spread a mistake across multiple agent sessions and workspaces.

User impactUsing an all-agents command accidentally could stop multiple active tasks and roll back multiple sessions at once.

RecommendationMake all-agent interruption opt-in with a separate confirmation, list affected agents first, and default to a dry run for bulk actions.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

SKILL.md

New agents added later are picked up automatically via a background watcher. ... `watch.py` | Auto-injects new agents (runs via cron)

The artifacts document persistent watcher behavior that can continue modifying new agents' AGENTS.md files after the initial setup.

User impactFuture agents may receive new execution instructions automatically, without a separate per-agent review at creation time.

RecommendationKeep the watcher disabled unless specifically needed, document any cron entry clearly, and require user approval before modifying each new agent.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

scripts/install.py

INTEGRATION_MARKER = "" ... if INTEGRATION_MARKER in content: print(f"  [SKIP] {agent_id}: already integrated"); return

Because the integration marker is an empty string, the installer can treat files as already integrated and skip changes, which may give users false confidence that the safer precise-kill protocol was installed.

User impactUsers may believe all agents were configured for precise interruption when they were not, increasing reliance on less precise fallback behavior.

RecommendationUse a non-empty integration marker, verify modified AGENTS.md files after setup, and run any installer in dry-run mode first.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

Backs up memory — Saves the removed messages to `interrupt-logs/` for recovery ... Rolls back transcript — Deletes the last user message ... and everything after it

The skill intentionally modifies persistent agent transcript memory and stores removed content in local rollback logs. This is disclosed and aligned with the purpose, but it affects sensitive conversation history.

User impactInterrupted task content may disappear from the active agent context while still being retained in local backup logs.

RecommendationReview and protect the interrupt logs, delete backups that contain sensitive data when no longer needed, and use rollback only when you accept the transcript change.