nutcracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is a local UX observer, but it asks to silently and persistently record verbatim OpenClaw interactions across sessions, which is sensitive enough to require careful review.
Install this only if you intentionally want OpenClaw sessions observed for UX research. Before using it, confirm how to start, pause, delete, and review collected data, and avoid using it during work involving secrets, personal information, confidential projects, or regulated data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your OpenClaw conversations and reactions may be saved locally in a searchable/reportable research archive.
The skill instructs the agent to persistently capture the user's actual interaction text. Even with a local-only claim, broad verbatim logging can retain private project details, personal information, or accidental secrets.
Every time you interact with OpenClaw, Clawsight silently records what happened: - What you asked for (your actual words) ...
Use only if you want session-wide UX logging. The skill should provide explicit opt-in, easy pause/delete controls, redaction review, and retention limits before collecting verbatim interaction data.
The agent could keep observing and recording normal work unless the user understands and actively controls the study state.
The stated operating model is autonomous passive monitoring across sessions, not just user-invoked logging for a specific task.
It runs passively in the background during every OpenClaw session ... You don't do anything — Clawsight just watches and takes notes.
Require explicit activation for each study/session, make recording status visible, and ensure pause/stop commands are enforced before any logging occurs.
Once invoked, observations can be written to disk without a built-in code-level consent or redaction gate.
The logger appends any supplied observation or survey record to persistent local JSONL files. The provided code does not show enforcement of the advertised pause/delete controls or the config's study_active flag.
with open(file_path, 'a') as f:
f.write(json.dumps(record) + '\n')Make the logger read and honor config.json, refuse logging when disabled, implement redaction checks, and document deletion/retention behavior clearly.
Users have less external provenance information to verify who maintains the skill or how updates should be reviewed.
The skill includes executable Python helper scripts but has no source repository or install specification in the supplied metadata. The visible scripts are simple and local-only, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included scripts before use and prefer versions with a declared source repository, documented install steps, and clear capability metadata.