Skillv1.0.0

ClawScan security

Proactive Agent Local · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 10, 2026, 10:07 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and scripts mostly match a 'proactive agent' purpose, but there are internal contradictions and a few instructions that give it broad read access (home config, logs) and aggressive autonomy patterns — review before installing or running.
Guidance: This package mostly matches its stated goal (proactive/local agent architecture) but has some red flags you should check before installing or running: 1) Inspect scripts/security-audit.sh yourself — it reads logs (/tmp) and $HOME/.clawdbot, and scans files for secrets; run it in a sandbox or dry-run first. 2) Resolve the contradictory instructions: AGENTS.md's 'Don't ask permission. Just do it.' conflicts with other guardrails that require human approval for external actions — decide which behavior you want. 3) Confirm whether your agent runtime will allow the skill to read ~/.clawdbot, .credentials, or system logs; if not, restrict filesystem access. 4) Because the SKILL.md mentions spawning agents and aggressive autonomous behaviors, only enable autonomous invocation after you (a) trust the author (source/homepage is missing and owner IDs differ between manifest and registry metadata) and (b) have tested the behavior in an isolated environment. 5) If you proceed, run the audit script and manually review all asset files for any lines that would send data externally or execute network calls. If you are uncertain, prefer using this in a disposable/sandbox workspace and ask for human approval before any external send/publish actions.
Findings: [prompt-injection-patterns] expected: The pre-scan detected phrases like 'ignore-previous-instructions', 'you-are-now', and 'system-prompt-override'. These appear in SKILL.md and references as examples to detect and defend against prompt injections (i.e., the skill instructs the agent to scan for these patterns), so the finding is expected and legitimate in this context.

Review Dimensions

Purpose & Capability: noteThe name, SKILL.md, and asset files align with a proactive-agent architecture (onboarding, WAL, working buffer, heartbeats). No env vars or external installs are requested, which is proportionate. However, some guidance is contradictory: assets/AGENTS.md contains 'Don't ask permission. Just do it.' which conflicts with many guardrails elsewhere ('Nothing external without approval'). That contradiction could lead to overly-autonomous behavior not justified by the stated purpose.
Instruction Scope: concernRuntime instructions are mostly workspace-file oriented (writing SESSION-STATE.md, working-buffer.md, copying assets). The included security-audit.sh script, however, inspects files outside the immediate workspace (tails /tmp/clawdbot/*.log, reads $HOME/.clawdbot/clawdbot.json), and scans repository files for suspected secrets — these actions are plausible for an audit but broaden the skill's read scope. The SKILL.md and references include patterns like 'spawn research agents' and aggressive 'try 5-10 approaches' guidance which could lead to spawning additional processes/agents if the host framework permits. Also the SKILL.md contains prompt-injection phrases, but they appear as examples for detection rather than active instructions.
Install Mechanism: okNo install spec (instruction-only) and no network downloads. The only executable artifact is scripts/security-audit.sh (contained in repo). This is low-risk for supply-chain install vectors, but running included scripts will write/read files on disk — treat them like code you must inspect before executing.
Credentials: noteThe skill declares no environment variables or credentials required, and most files describe storing credentials in a local .credentials directory (gitignored). That is proportionate. Still, the audit script and AGENTS.md expect access to .credentials and to $HOME/.clawdbot config; granting the skill runtime ability to read those locations is more privilege than the minimal description implies — verify whether your agent runtime actually permits such filesystem access before trusting the skill.
Persistence & Privilege: okalways is false and default autonomous invocation is allowed (normal). The skill does not request forced always-on presence or modify other skills. The main persistence is via writing workspace files (SESSION-STATE.md, memory files) which is consistent with its stated purpose.