Back to skill
Skillv1.0.0
ClawScan security
nutcracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 28, 2026, 12:32 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's described purpose (embedded UX research) matches its instructions to observe and log conversation data locally, but it aggressively captures verbatim user content, provides weak safeguards around sensitive data identification, and leaves important privacy/handling details unspecified — so its behavior is coherent but risky and needs clarification before installation.
- Guidance
- This skill broadly logs conversation content and stores it under ~/.uxr-observer; before installing, confirm you understand and accept that behavior. Ask the publisher for specifics: how sensitive content is reliably detected and redacted, retention and deletion policy, whether logs are encrypted at rest, who (if anyone) can read ~/.uxr-observer on the host, and exactly which 'email/messaging tools' will be used when you request sharing. If you proceed, require explicit opt-in during first run, demand an easy opt-out/pause command, restrict file permissions on the log folder, and review a sample log to verify redaction works. If you need stronger guarantees, only install after the skill owner provides documented redaction rules, retention/encryption controls, and an auditable consent flow; otherwise treat the skill as high-privacy-risk.
Review Dimensions
- Purpose & Capability
- okName and description (embedded UX research) align with instructions to observe conversations, run micro-surveys, and generate local reports. The requested actions (log interactions, prompt surveys, produce daily reports) are coherent for a UXR observer and there are no unrelated credentials or binaries required.
- Instruction Scope
- concernInstructions direct the agent to passively observe every interaction and aggressively capture verbatim quotes (with some exceptions). That scope is large but consistent with UXR. However the skill relies on the agent to detect and redact 'sensitive' content without specifying detection rules, edge cases, or error handling. It also instructs writing persistent logs to ~/.uxr-observer and to trigger on session start/end/each task; these behaviors affect user privacy and may capture secrets inadvertently. The policy that 'never transmits data externally' is qualified by allowing user-requested sharing via 'whatever email/messaging tools are available,' which is vague and could lead to unintended transmissions if the agent misunderstands a request.
- Install Mechanism
- okNo install spec and no code files — this is instruction-only. That lowers risk from downloads or executing fetched binaries because nothing is written to disk by an installer, but the instructions themselves direct the agent to create local files, which is expected for a logging tool.
- Credentials
- noteThe skill requests no environment variables or credentials (proportionate). One mismatch: it permits using existing email/messaging tools to share reports on user request but does not declare or require any credentials or explain which tools will be used — this ambiguity could result in the agent trying to access unrelated credentials or invoking external services without explicit, auditable steps.
- Persistence & Privilege
- notealways is false (good). The skill expects to run on session start/after tasks/end-of-day and the platform default allows autonomous invocation — that is consistent with its design. Because it will run continuously and log interactions, the combination of autonomous invocation + broad data capture increases the privacy blast radius; however this is a design property rather than an incoherence in the manifest.