Skillv1.0.0

ClawScan security

Abby Autonomy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 9:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and documentation mostly match its stated purpose (autonomously taking tasks from a local queue), but there are several inconsistencies and a risky path import that warrant caution before installing.
Guidance: This skill appears to implement a local task queue and autonomous heartbeat, which matches its description, but there are a few red flags you should consider before installing: - The package references and attempts to import a 'long-term-memory' skill from the agent workspace (sys.path insertion). Verify that the long-term-memory skill exists and is trusted, because Abby will load and execute that code at runtime and may access its data. - The SKILL.md and scripts mention an executor.py that is not included — the skill may be incomplete and could behave unexpectedly if you rely on it. - There are minor code inconsistencies (duplicate imports/names) suggesting limited QA. Test in a controlled environment first (no sensitive data or credentials available), and inspect the long-term-memory skill code the bundle will import. - If you allow the skill to run autonomously, consider limiting its permissions and monitoring file writes to tasks/ and memory/ directories. If you want, I can list exact lines where the sys.path insertion and missing executor reference appear, or help craft a safer test plan for trying this skill in an isolated environment.

Review Dimensions

Purpose & Capability: noteName/description align with the included code (queue/heartbeat/status). The skill reads/writes a local tasks/QUEUE.md and memory/task_state.json, which fits the stated purpose. However: SKILL.md and scripts reference an executor.py that is not present in the bundle, and __init__.py imports 'complete_task' from both queue and status (name collision/inconsistency). These mismatches suggest incomplete or sloppy packaging.
Instruction Scope: concernSKILL.md and the scripts describe only local file-based queue management and periodic heartbeats, which is appropriate. But heartbeat.py inserts a path into sys.path to import code from workspace/skills/long-term-memory (outside the skill bundle). That means at runtime the skill will attempt to load another skill's code from the agent workspace — behavior not strictly documented beyond a dependency note. The urgent-check mentions 'Gateway' and human messages (TODO) but those checks are unimplemented. Overall the runtime instructions do not exfiltrate data, but the external import expands the runtime surface and could access other skill data.
Install Mechanism: okNo install specification and no remote downloads; the skill is provided as local code and operates on local files. This is low install risk.
Credentials: noteThe skill requests no environment variables or credentials, and operates on local files only. The main proportionality concern is the explicit sys.path insertion to a 'long-term-memory' skill in the agent workspace — that gives the skill potential indirect access to whatever that other skill exposes (including any data it stores). The dependency on 'long-term-memory' is declared in SKILL.md, but users should verify that the referenced skill is trustworthy.
Persistence & Privilege: okFlags show normal autonomy settings (always:false, user-invocable:true, model invocation allowed). The skill only writes to its own tasks/ and memory/ files; it does not request to modify other skills or global agent configuration. No 'always:true' privilege is requested.