ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

aaaa

v1.0.0

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

0· 171·0 current·0 all-time
by@gakkiismywife
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (self-improvement, capture learnings/errors) align with the included scripts and OpenClaw hook handlers: activator.sh, error-detector.sh, and handler.{js,ts} implement reminders and error-detection. However the registry metadata claims 'instruction-only' / no install spec while the package contains multiple executable scripts and hook handlers — that's an inconsistency you should verify. Also the SKILL.md suggests cloning a GitHub repo as a manual install (external content).
!
Instruction Scope
SKILL.md and hooks instruct the agent to log learnings and to promote selected entries into workspace files (SOUL.md, AGENTS.md, TOOLS.md, CLAUDE.md) which OpenClaw injects into every session. That is functionally consistent with the purpose but materially expands scope: user-provided or automated learnings can become persistent session context (a form of persistent prompt injection). The error-detector reads CLAUDE_TOOL_OUTPUT (platform-provided) but that env var is not declared in requires.env — not malicious, but note the runtime reliance on platform envs.
Install Mechanism
No automatic install spec in registry; SKILL.md recommends manual git clone from GitHub (public repo). Files included in the package perform filesystem writes when run (extract-skill.sh creates skill scaffolds under ./skills). Nothing in the package fetches code from arbitrary URLs at runtime, but manual install steps would pull code from GitHub — review the remote repo before cloning.
Credentials
The skill declares no required env vars or credentials, and scripts do not request secrets. They do read a platform-provided variable (CLAUDE_TOOL_OUTPUT) and operate on local filesystem paths (creating ~/.openclaw/workspace/.learnings or ./skills). No disproportionate credential access is requested. Still, scripts will write files into user directories when used.
!
Persistence & Privilege
always:false (good), but enabling the hook copies handler code into OpenClaw hooks and the handler injects a virtual bootstrap file on agent:bootstrap. More importantly, the guidance to 'promote' learnings to workspace files (SOUL.md, AGENTS.md, TOOLS.md, CLAUDE.md) means user or agent-created content can become persistent prompt/context injected into future sessions — this increases attack surface if untrusted or malformed entries are promoted. The skill itself does not forcibly enable hooks, but if enabled it affects all sessions.
What to consider before installing
This skill appears to implement a reasonable 'log learnings and remind the agent' workflow, but review these before installing: - Inconsistency: the registry lists this as 'instruction-only' yet the package contains executable scripts and hook handlers. Verify the package contents and source repository you install from. - Persistent context risk: the skill encourages promoting learnings into workspace files (SOUL.md, AGENTS.md, CLAUDE.md, TOOLS.md) that OpenClaw injects into every session. Only promote content you fully trust and sanitize — otherwise you can unintentionally introduce persistent prompt-injection or behavioral changes. - Hooks are opt-in: the hook handlers only run if you copy/enable them. If you don't want global reminders or injected bootstrap files, don't enable the hook. - Inspect scripts before running: activator.sh and error-detector.sh only print reminders and parse CLAUDE_TOOL_OUTPUT, and extract-skill.sh scaffolds files under ./skills but can write to disk. Check file permissions and the scripts' exact behavior; run extract-skill.sh with --dry-run first. - Remote install caution: SKILL.md recommends git-cloning a GitHub repo. If you follow that, verify the repository and its commit history before cloning/executing scripts. If you want to proceed: only enable hooks at project scope (not global), avoid promoting untrusted learnings into injected workspace files, and run the scripts in a controlled environment first. If you want more confidence, provide the canonical upstream repo URL and confirm owner metadata — the packaged _meta.json ownerId differs from the registry ownerId, which is another inconsistency worth resolving.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dwec4fndrkdd17t6a3w1mdx82vdeg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments