Back to skill
Skillv1.0.0
ClawScan security
Pattern Analyst · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:24 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (tracking and surfacing patterns) matches its instructions, but it instructs the agent to autonomously modify local user profile files (auto-confirm patterns and update USER.md) and references workspace files without declaring those config paths — this unexpected persistence and self-update behavior is notable and warrants caution.
- Guidance
- This skill does what it says — it tracks and surfaces patterns — but it also writes to and updates your workspace files (notes/patterns.md and USER.md), including an automatic 'auto-confirm' flow that will change your USER.md after seeing a pattern 3 times. Before installing: (1) ensure you have backups of USER.md and any notes files; (2) consider requiring explicit user confirmation before any changes to USER.md (update the SKILL.md or wrapper to remove auto-confirm); (3) limit or review autonomous heartbeats (disable or require manual invocation) so the agent doesn't modify your profile without your review; (4) confirm where notes/patterns.md will be stored and who/what has access to that path. These mitigations reduce risk; if you expect the skill to auto-update your profile, accept that behavior only after reviewing and testing it in a safe workspace.
Review Dimensions
- Purpose & Capability
- noteThe name/description align with the instructions: the skill analyzes interactions and stores pattern notes. However, the SKILL.md explicitly reads and writes workspace files (notes/patterns.md and USER.md) but the skill metadata declares no required config paths or file access — an omission that should be called out.
- Instruction Scope
- concernInstructions go beyond passive analysis: they require logging every relevant interaction to notes/patterns.md, periodic proactive reviews (heartbeats), and an automatic 'independent confirmation' flow that will tag patterns as [AUTO-CONFIRMED] after 3 repeats and immediately update USER.md. Auto-confirming and immediately updating the user's profile without explicit user approval is scope creep from 'observe and surface' to 'modify user state'.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files, so there is no install-time execution risk. That said, runtime file writes are still possible because the instructions tell the agent to modify workspace files.
- Credentials
- noteThe skill requests no credentials or environment variables, which is appropriate. But it still requires read/write access to notes/patterns.md and USER.md (and expects those files to exist or be creatable) — this file access is not declared in metadata and can expose or alter stored personal data. No network exfiltration is requested in the instructions.
- Persistence & Privilege
- concernThe skill is not flagged always:true, but it instructs autonomous behavior (periodic heartbeats) and automatic updates to USER.md when patterns are auto-confirmed. Modifying the user's profile/data automatically increases persistence and the potential blast radius if the skill behaves incorrectly. The metadata does not warn about this self-modifying behavior.