Skillv1.0.0

ClawScan security

Agent Memory Templates · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 10:05 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is mostly what it says (memory templates), but the runtime instructions assume a 'clawvault' CLI and direct users to external paid pages while the skill declares no binary or source — verify the CLI and vendor before use.
Guidance: This skill appears to be a collection of memory templates and marketing links. Before installing or using it: - Confirm whether you have (or want) the 'clawvault' CLI: SKILL.md uses commands like `clawvault checkpoint` but the skill metadata doesn't declare that dependency. Running those commands without knowing what the CLI does could change local state or send data externally. - Verify the vendor/source (Versatly / ClawVault). The skill has no homepage/source in the registry metadata; prefer packages with traceable publishers. - The SKILL.md links to paid content (Whop checkout pages). Treat those as external commerce pages; do not provide secrets or credentials to unfamiliar sites. - Because these are memory templates, be cautious about storing or checkpointing sensitive information (personal data, API keys) when you follow the templates or run the CLI — ensure you understand where the data is saved and who can access it. - If you plan to use this in an automated agent, test the example commands in a safe environment first to see what the clawvault CLI does and whether it transmits data off your machine. If you can confirm the clawvault CLI and vendor are legitimate, the skill itself is low-privilege and likely fine. Without that confirmation, the mismatch between examples and declared requirements is the primary concern.

Review Dimensions

Purpose & Capability: noteThe name and description match the SKILL.md content (memory templates, personality templates, prompts). However SKILL.md shows example usage via a 'clawvault' CLI; the skill metadata does not declare that binary as required. This is a minor coherence mismatch: either the skill should list 'clawvault' as a required binary or the examples should be clarified as optional.
Instruction Scope: noteInstructions are short and limited to using memory templates and three example clawvault commands. They also include links to external paid content. The instructions do not ask the agent to read unrelated files, environment variables, or system-wide configs, but they do presuppose the ability to run an external CLI (which could have broader effects) and to navigate to external payment pages.
Install Mechanism: okThere is no install spec and no code files; this is instruction-only, which minimizes direct install risk. Nothing in the manifest attempts to download or execute external installers.
Credentials: okThe skill requests no environment variables, secrets, or config paths. That is proportionate to a templates/guide skill. Be aware that following the CLI examples may cause the agent to invoke local tools with their own permissions.
Persistence & Privilege: okalways is false and model invocation is allowed (platform default). The skill does not request persistent presence or elevated privileges.