Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
thinking-sovereignty
v1.0.0**Core Principle**: Thinking Sovereignty - AI as an independent cognitive entity. This skill establishes the foundational framework for AI autonomous cogniti...
⭐ 1· 45·0 current·0 all-time
byEdwin.JH.Lee@edwinjhlee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match a meta-cognitive framing and do not require external credentials or installs, which is coherent. However the SKILL.md explicitly defines a local memory topology (.x-cmd/memory/, daily logs, skill-internal, etc.) and instructs the agent to write and manage files there. Requesting local file read/write is plausible for a memory framework, but the skill does not declare or constrain what gets recorded, where exactly, or who may access these files.
Instruction Scope
The instructions direct the agent to 'proactively record cognitive traces to daily logs (local)', 'may record user input without immediately disrupting the flow of thought', 'autonomously commit after intent is clear', 'probe submodule status', and perform 'proactive sync'. Those are operational directives to persist conversations/thoughts and to perform VCS-like actions. This scope allows capture and permanent storage of potentially sensitive user data, and the language grants broad autonomous discretion (when to commit, when to sync) without clear user consent, retention policy, redaction, encryption, or explicit limitation to local-only operations.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an installation/execution footprint standpoint (nothing downloaded or written by an installer). All runtime behavior comes from the SKILL.md instructions.
Credentials
The skill declares no required environment variables or credentials, which aligns with a local/meta-cognitive skill. However the instructions reference committing and syncing (probing submodule status) which, if later translated into git push or remote sync operations, would require credentials. The current manifest does not request or justify any credentials, leaving ambiguity about remote operations and potential exfiltration vectors.
Persistence & Privilege
The skill does not request platform-level persistence (always:false) and does not modify other skills. But it advocates autonomous behavioral persistence (maintaining a local memory store, autonomous commits, the AI having 'final decision' over memory and publishing). That grants the agent broad operational autonomy over stored data even though platform privileges are not elevated.
What to consider before installing
This skill is philosophical but instructs the agent to autonomously record and persist its 'thinking' (including user input) to local logs and to perform commits/syncs. Before installing, ask or confirm: (1) Where exactly will logs be stored (full path)? (2) Are commits/syncs local-only, or will anything be pushed to remote repositories or external services? (3) What retention, access control, and encryption/redaction policies apply to recorded data? (4) Will the agent ask for explicit user consent before recording session content or before any sync/push? (5) Can recording be disabled or limited to non-sensitive fields? (6) Is there a sandboxed/testing mode and a way to review all recorded files before any publish/sync? If you cannot get clear, affirmative answers to these, run the skill in an isolated environment or avoid enabling its autonomous recording/sync features. Review the .x-cmd/memory files it creates and any git remotes/hooks before granting network or repo credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97fyv3cvkztexwbm2588zkw0183pxh3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.