Skillv1.0.0

ClawScan security

Agent Autonomy Primitives · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 1:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose, but the registry metadata omits required installation steps and environment variables and the heartbeat's 'execute it' step is intentionally open-ended—these mismatches and the vague execution authority are concerning.
Guidance: This skill appears to implement what it claims (a file-based 'ClawVault' workflow and heartbeat-driven autonomy), but the package metadata and the runtime instructions are inconsistent and the heartbeat step gives agents open-ended authority to 'execute' tasks. Before installing or enabling this skill: 1) Verify the source of the clawvault npm package (official repo/organization, code review) rather than running a global install blindly. 2) Expect to install Node/npm and the clawvault CLI—these are required even though the registry metadata doesn't list them. 3) Be cautious about allowing your agent to 'execute' task steps autonomously; restrict the agent's runtime permissions (network, filesystem, credential access) or test in an isolated environment first. 4) Confirm what files the clawvault tool will write (hooks, skills/* paths, checkpoints) and whether it will modify agent configuration. 5) Limit or review environment variables (CLAWVAULT_PATH, compression provider/model settings) to avoid exposing sensitive credentials. If the publisher/ homepage and the clawvault package repository are provided and you can inspect the package source and confirm the install behavior, the concerns here would be substantially reduced.

Review Dimensions

Purpose & Capability: concernThe SKILL.md requires installing and using the clawvault CLI (npm install -g clawvault, clawvault init) and references CLAWVAULT_* environment variables, but the registry metadata lists no required binaries or env vars. That mismatch indicates the declared requirements do not match what the skill actually needs.
Instruction Scope: concernInstructions tell an agent to list tasks, pick the highest-impact task, and then 'Execute it' during each heartbeat. 'Execute it' is intentionally vague and grants the agent broad discretion to run arbitrary work (which could include network calls, subprocesses, filesystem changes). The adaptation guide also shows example code that runs subprocesses with the agent's full environment, increasing the scope of actions an agent might take.
Install Mechanism: noteThere is no formal install specification in the registry (skill is instruction-only), but the SKILL.md asks the user to run npm install -g clawvault. Relying on an npm global install is moderately risky unless the package source is known and trusted; the skill metadata does not provide a homepage or package origin to verify.
Credentials: concernSKILL.md documents environment variables (CLAWVAULT_PATH, CLAWVAULT_COMPRESSION_PROVIDER, CLAWVAULT_COMPRESSION_MODEL) and instructs merging os.environ when invoking the CLI, but the skill's declared required env vars are empty. The described behavior would allow the agent to read and rely on environment settings not declared in the registry, which is a proportionality/visibility problem.
Persistence & Privilege: noteThe skill is not marked always:true and is user-invocable (normal). However the docs mention 'OpenClaw hooks (in skills/clawvault/hooks/) auto-checkpoint' which suggests the clawvault installation or usage may create hooks or files under an agent's skills tree. That could modify agent-side files; users should verify whether installing clawvault will write into agent or system skill directories.