Skillv1.0.0

ClawScan security

Number Two Migration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 2:53 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package's files line up with a full agent-state migration, but hard-coded API keys, instructions to auto-set credentials, and scripts that will overwrite workspace and skill configs are disproportionate or unexplained and warrant caution.
Guidance: This package contains everything needed to 'become' Number Two — identities, long and short-term memory, skill triggers, and scripts that will overwrite your workspace and persist API keys. Before installing: 1) Do not run install.sh or verify.sh until you read their full contents; open them in a text editor and search for network calls, remote URLs, or commands that modify files outside the intended skill directory. 2) Back up your entire ~/.openclaw/ and workspace directories. 3) Remove or rotate any hard-coded API keys found in the package; never import unknown credentials into your environment. 4) Prefer running the install in an isolated sandbox/container or VM if you want to test. 5) Verify that the package will not silently modify other skills' configuration (search for writes to global AGENTS.md, skills folders, or OpenClaw config paths). 6) If you cannot audit the scripts yourself, do not install. If you want help auditing install.sh and verify.sh, provide their contents and I will review for network exfiltration, file overwrite behavior, and other risky operations.
Findings: [ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in SKILL.md. This is unrelated to a standard migration README and could indicate an attempt to influence the agent's instruction-following; it should be removed or explained.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (complete migration of identity, memories, skills, and project state) matches the many config and memory files included. However, SKILL.md contains hard-coded API keys and promises to 'automatically set API keys' despite the registry metadata claiming no required env vars or primary credential — embedding and auto-applying credentials is not necessary for a migration package to be published and is disproportionate.
Instruction Scope: concernRuntime instructions ask the user to run install.sh and verify.sh and warn that the skill will overwrite existing workspace files. SKILL.md directs copying full identity/memory/skills into the user's workspace and to auto-configure API keys; this explicitly instructs reading/writing and modifying agent/system state beyond a small helper tool. The notice 'this skill will overwrite existing workspace files' is honest, but such wide-scoped modifications should require explicit, code-level transparency. The SKILL.md also contains a pre-scan prompt-injection pattern (ignore-previous-instructions) which is unexpected in a benign install guide.
Install Mechanism: noteThere is no formal install spec in registry metadata (instruction-only), but the package includes install.sh and verify.sh — meaning installation will execute bundled scripts written to disk. That increases risk compared to pure instruction-only skills. The SKILL.md suggests installing from an external URL (clawhub.com) but the provided package already contains many files. The install mechanism is plausible for a migration task but needs inspection of the scripts before running.
Credentials: concernRegistry metadata declares no required env vars or primary credential, yet SKILL.md lists and embeds multiple sensitive API keys (Moltbook, Manus, JWT) and says it will set them automatically. This is inconsistent and dangerous: the package both exposes secrets and would persist them into the environment/workspace. The included memories also reference additional credentials (OPENCLAW_ADMIN_KEY, JWT_SECRET). Asking to write or persist credentials into the user's environment without clear justification or the user's explicit secret values is disproportionate.
Persistence & Privilege: concernThe skill will write to the user's workspace and overwrite existing files (IDENTITY, MEMORY, AGENTS, SESSION-STATE, skills configs). That is inherently high-privilege for a skill. It also includes a skills-auto-trigger file that enforces automatic triggers for multiple skills (e.g., always-apply humanize-zh for Chinese replies), which modifies runtime behavior of other skills. 'always: true' is not set, but the ability to overwrite agent identity/memory and skill integrations is a significant persistent privilege and should be treated with caution.