Back to skill
Skillv1.0.0
ClawScan security
Security Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 5, 2026, 11:38 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior matches its stated goal of sanitizing and refusing to reveal secrets, but it mandates silent, unconditional reading of session files (SOUL.md, USER.md, memory/*.md, MEMORY.md) and asserts locked rules that aren't present — these mismatches and the forced session-init behavior warrant caution.
- Guidance
- This skill is mostly coherent with its goal (sanitizing and refusing to reveal secrets) and the included sanitize.sh is benign. However: (1) the SKILL.md demands that the agent silently read SOUL.md, USER.md, memory/YYYY-MM-DD.md and MEMORY.md at the start of every session — those files are not declared in metadata and may contain sensitive user data; (2) the skill states rules are "locked" (LOCKED.md) but that file isn't present; and (3) the wording forces behavior without asking. Before installing: verify where SOUL.md/USER.md/memory files live and what they contain; confirm the agent runtime will not follow the mandatory reads without your consent; request the author to remove or make optional the non-consensual session-init steps and to include or explain LOCKED.md; run the skill in a sandboxed agent first; and ensure the skill cannot be auto-enabled globally (no always:true). If you accept the file-read behavior and trust the author, the skill's sanitization behavior appears consistent — otherwise do not install until the session-init and file-access behavior is clarified.
Review Dimensions
- Purpose & Capability
- okName/description align with included assets: SKILL.md enforces refusal/sanitization and a small sanitize.sh script implements redaction. No unrelated credentials, binaries, or install steps are requested.
- Instruction Scope
- concernRuntime instructions require the agent to "MUST run at start of EVERY session" and to read files (SOUL.md, USER.md, memory/YYYY-MM-DD.md, optionally MEMORY.md) without asking. Those file reads are not declared in metadata and could expose private session memory; the skill also references LOCKED.md though that file is not included. The mandatory, non-consensual file access is out-of-band for an instruction-only skill that declared no required config paths.
- Install Mechanism
- okNo install spec; only a small shell script (scripts/sanitize.sh) is included. The script is straightforward and performs local string redaction — no network downloads or archive extraction.
- Credentials
- noteThe skill requests no environment variables or external credentials (good). However SKILL.md instructs the agent to read local files and to suggest local file paths (e.g., ~/.openclaw/openclaw.json). Those file reads are not declared under required config paths; accessing agent memory files may be broader than necessary.
- Persistence & Privilege
- concernalways:false and normal autonomous invocation are fine, but the skill's strong wording ('MUST run at start of EVERY session' and 'Do not ask permission') tries to impose persistent behavior at runtime. Although it doesn't request platform-level always:true, this coercive instruction combined with mandatory file reads increases privacy risk if the agent follows it automatically.