Skillv1.0.0

ClawScan security

Aprendizado Continuo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 22, 2026, 12:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description promises automatic capture-and-promotion of errors to AGENTS.md / TOOLS.md / SKILL.md, but it is instruction-only, vague about how automation works, and implicitly asks an agent to modify other project documentation — a combination that merits caution.
Guidance: This skill is an instruction-only blueprint for an "auto-improvement" workflow rather than an implemented tool. Before installing or enabling it: - Understand that there is no shipped code; any automation would be performed by the agent executing these vague instructions. Ask how the agent will detect errors and where it will write files. - Restrict write access: ensure the agent cannot modify sensitive files or skill definitions unless you explicitly allow it. Specifically, review and sandbox any behavior that would write to AGENTS.md, TOOLS.md or SKILL.md (these can affect agent behavior and documentation). - Prefer explicit rules: ask the author (or update SKILL.md) to specify exact capture sources, allowed file paths, formatting rules, and approval workflows for promoted changes. - Verify provenance: metadata is inconsistent (top-level listing shows no homepage while clawhub.json points to a GitHub URL). Confirm the source repository and review commit history before trusting automatic promotions. - If you want automation, implement or require a concrete, auditable component (script, webhook, or CI job) that you can inspect rather than relying on freeform agent actions. Given the vagueness about what the agent should do and where it may write, proceed with caution and limit autonomous write permissions until you have a concrete, reviewed implementation.

Review Dimensions

Purpose & Capability: concernThe name and description claim automatic capture and promotion of errors into AGENTS.md, TOOLS.md and SKILL.md. However, the package contains no code or install steps — only prose describing a folder structure and example entries. There is no concrete mechanism (webhook, logger, file-watcher, or CLI tool) included to perform the "auto" behavior. Asking an agent to automatically modify those files is plausible, but the requested artifacts (none) are disproportionate to the claimed automation and leave substantial implementation discretion to the agent.
Instruction Scope: concernSKILL.md is high-level and vague: it defines a .learnings/ layout, capture triggers and example log format, and states that important learnings are "promoted" to AGENTS.md/TOOLS.md/SKILL.md. It does not specify boundaries, authorization, or where those target files live. That vagueness grants an agent broad discretion to read or write repository files and decide what counts as an error/learning — potentially modifying skill documentation or agent configuration without explicit constraints.
Install Mechanism: okThere is no install spec and no code to install. This is low-risk from an installation/execution vector perspective because nothing is downloaded or extracted by the registry package itself.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. No direct requests for secrets are present. However, because the instructions encourage writing/promoting content into AGENTS.md/TOOLS.md/SKILL.md, an agent implementing this could be given file-system write access and potentially access other repository files; that operational privilege is not explicitly scoped by the skill.
Persistence & Privilege: notealways:false and normal agent invocation are set (no forced inclusion). Still, the skill's purpose is to alter documentation files (including SKILL.md), which implies the agent may be instructed to modify skill documentation or configuration. If the agent is allowed to run autonomously with write permissions, that increases blast radius. The skill itself does not request persistent system presence or special privileges, but its intended actions involve persistence (writing markdown files).