Back to skill
Skillv1.0.0
ClawScan security
Personal Friends · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 11:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it manages friend data by reading and updating a local knowledge file and requests no credentials, installs, or network access.
- Guidance
- This skill stores and updates personal friend information in the agent workspace file knowledge/personal/friends.md. It does not request credentials or communicate externally, so the main risk is local privacy: ensure the workspace is secure and that you trust the agent and host. Before installing, inspect the README and SKILL.md (you already did), and after enabling, review the contents of knowledge/personal/friends.md. If you want stronger protection, avoid putting sensitive identifiers in the file (use nicknames or partial data), back up or encrypt the file, and consider disabling autonomous invocation if you don't want the agent to update memory without your explicit prompt. The skill's source/homepage are not provided — while this is acceptable for an instruction-only skill, prefer skills from known sources if you have stricter trust requirements.
Review Dimensions
- Purpose & Capability
- okThe name/description (friend manager: birthdays, debts, plans) matches the instructions which read and update a local file knowledge/personal/friends.md — the requested capabilities are proportional and expected.
- Instruction Scope
- okSKILL.md explicitly directs the agent to read and update only knowledge/personal/friends.md and use chat history. There are no instructions to access unrelated files, environment variables, or external endpoints.
- Install Mechanism
- okThis is instruction-only with no install spec or code files, so nothing is downloaded or written during install — low installation risk.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. It does persist user data locally, which is appropriate for its purpose.
- Persistence & Privilege
- noteThe skill will write persistent personal data to knowledge/personal/friends.md in the agent workspace. This is expected for a memory-like assistant, but users should be aware the data is stored locally and accessible to anything with access to the workspace.