Back to skill
Skillv1.0.0
ClawScan security
Ultimate Agent System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 5, 2026, 10:58 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill broadly matches its stated purpose, but there are several inconsistencies and a detected prompt-injection pattern that warrant caution before installing or running it.
- Guidance
- This skill contains working code and will create and persist state on disk (memory/ultimate-state.json under a workspace). Before installing or running it: 1) Review the three Python scripts locally (especially publish.py and ultimate_system.py) to ensure you accept the filesystem operations and subprocess calls. 2) Be aware publish.py expects the ClawHub CLI and benchmark.py uses psutil and a hardcoded D:/ path — run tests in a sandbox or VM first. 3) Remove or inspect any invisible/unicode-control characters in SKILL.md (scanner flagged them). 4) Don't run on systems with sensitive data until you confirm there are no network calls or credential exfiltration paths; run it offline if possible. 5) Ask the publisher for the canonical source repository and a signed release; without a known upstream source, treat it with extra caution.
- Findings
[unicode-control-chars] unexpected: A prompt-injection pattern was detected in SKILL.md (unicode control characters). This is not needed for the described functionality and could be an attempt to influence LLM parsing or evaluation. Inspect raw SKILL.md and related files for hidden/invisible characters before trusting automated processing.
Review Dimensions
- Purpose & Capability
- noteName/description (proactive engine, self-improvement, agent factory) align with the included Python implementation. However metadata claims 'no required binaries' while scripts (scripts/publish.py and README/SKILL.md) expect the ClawHub CLI; benchmark code imports psutil (not declared) and writes to a hardcoded Windows path (D:/Test-Benchmark). These are disproportionate or at least undocumented dependencies.
- Instruction Scope
- noteSKILL.md instructs installation via 'clawhub install' and describes automatic environment detection. The shipped code reads/writes workspace and memory files (OPENCLAW_WORKSPACE, memory/ultimate-state.json), checks disk usage and may create directories — actions consistent with stateful agent behavior. SKILL.md contains a prompt-injection signal (unicode-control-chars) which could be an attempt to manipulate LLMs; the instructions are otherwise somewhat high-level and grant broad discretion to 'automatically detect and configure' which is vague and increases risk.
- Install Mechanism
- noteNo formal install spec is provided (instruction-only), which limits automated vetting. There are local scripts (publish/benchmark/ultimate_system) but no package/install manifest. publish.py runs subprocesses invoking 'clawhub' and executes scripts; benchmark.py uses psutil and writes to a hardcoded Windows path. Lack of declared installation dependencies (clawhub, psutil) and the presence of filesystem-writes are notable.
- Credentials
- okThe skill does not declare or require credentials or secrets. It reads an optional OPENCLAW_WORKSPACE env var (reasonable for locating workspace). No other environment variables or tokens are requested in metadata. The code will read/write local filesystem state, which is expected for a persistent agent.
- Persistence & Privilege
- okalways is false and user-invocable is true. The skill persists state under its own memory directory and does not appear to modify other skills or global agent config. Autonomous invocation is allowed by default (platform behavior) but is not combined with other high-risk factors here.