Skillv1.0.2

ClawScan security

Skill Combinator — Emergent Capabilities Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 12:06 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose, file reads/writes, and required Telegram credentials are coherent with an emergent-capabilities meta-skill; no install or network downloads are present, but it does read potentially sensitive workspace files (MEMORY.md, AGENTS.md) so operators should review those files and how Telegram delivery is mediated by the platform before enabling it.
Guidance: This skill appears internally consistent for discovering and cataloging multi-skill combinations, but review a few operational details before installing: - Confirm how OpenClaw delivers Telegram reports: is the platform the sender (skill provides only content) or could the agent perform HTTP calls? Prefer platform-mediated delivery so the skill itself never performs network requests. - Check the contents of AGENTS.md and MEMORY.md in your workspace; they may contain sensitive policy or user memory. The skill reads these files (read-only) to inform distillation — ensure nothing secret is stored there or that you are comfortable with read access. - Limit the Telegram bot token's scope (use a bot restricted to the intended chat), rotate the token if needed, and do not reuse a token with broader permissions. - Inspect other installed SKILL.md files for any sensitive content before allowing the combinator to read them; the skill intends to extract name+description but the grep/cat approach reads the files locally. - Validate the cron job/session configuration in OpenClaw (isolated session recommended) and verify the constraints in cron-message.md are enforced by the platform (e.g., prohibition on installing new skills autonomously, not writing AGENTS.md/SOUL.md). If you want stronger assurance, request documentation from the platform about notification mediation and a runtime audit log showing that the skill only read the declared files and did not perform outbound network calls. If you cannot confirm these, treat the read access to MEMORY.md/AGENTS.md as a potential privacy risk.

Review Dimensions

Purpose & Capability: okThe skill claims to inventory installed skills, detect multi-skill combinations, log outcomes, and send a weekly report. The declared read/write paths (skills directory, COMBINATIONS.md, .learnings) and the Telegram env vars match that purpose. Asking for a Telegram bot token and chat id is proportionate for sending scheduled reports.
Instruction Scope: noteRuntime instructions explicitly read /workspace/skills/ (name+description), .learnings files, COMBINATIONS.md, AGENTS.md, and MEMORY.md and write COMBINATIONS.md and .learnings entries. Reading other skills' SKILL.md to extract name/description is expected. However AGENTS.md and MEMORY.md can contain sensitive policy or memory content; the skill claims never to write those or output credentials, but the instruction set still grants read access to potentially sensitive files — this is scope-sensitive and worth reviewing.
Install Mechanism: okNo install spec or external downloads; instruction-only skill (no code files executed). This is low risk from an install/execution perspective.
Credentials: noteOnly TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID are required and TELEGRAM_BOT_TOKEN is declared as primaryEnv. That is appropriate for sending notifications. The documentation asserts the platform mediates delivery and the skill makes no direct HTTP calls; this is plausible but ambiguous — operators should confirm the platform, not the skill, performs the network send and that the token's scope is limited.
Persistence & Privilege: okalways:false and default autonomous invocation are used (normal). The skill writes only to its own catalogue and .learnings/memory logs and explicitly forbids writing AGENTS.md or SOUL.md. It does not request platform-wide always-on privileges.