Skillv1.0.4

ClawScan security

Neverforget · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 18, 2026, 3:08 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior largely matches a local-memory installer, but it requests very broad filesystem/network reach, writes to global OpenClaw config and user files, and contains contradictory guidance (symlink vs. no-symlink) — the footprint is larger than many users would expect and deserves careful review before install.
Guidance: Before installing, carefully consider the following: (1) This skill intends to index large parts of your home directory (~) and will change global OpenClaw memory settings and restart the gateway — review and backup ~/.openclaw/openclaw.json first. (2) Confirm the exclusion rules cover all places you consider sensitive; exclusions like **/.ssh/**, **/.aws/** and **/.env** are present but may be incomplete for your environment. (3) The skill will append a HEARTBEAT.md into your workspace and may follow symlinks (different files give contradictory guidance) — do not create symlinks to sensitive external stores if you want them excluded. (4) The install path uses pnpm and downloads a model from Hugging Face (and references an hf-mirror); verify network endpoints and mirror trust before allowing downloads. (5) Prefer running this skill first in an isolated account, container, or VM to observe behavior and disk usage (model downloads can be large). (6) When prompted to run the auto-install script, review the commands line-by-line and decline if you do not accept global config changes or broad indexing. If you want to proceed safely: restrict the filesystem permissions in package.json to only the specific project paths you need, remove symlink recommendations, and test indexing on a small sample directory first.

Review Dimensions

Purpose & Capability: noteThe declared purpose (setup local embeddings with node-llama-cpp and Gemma-300M) matches the instructions to install node-llama-cpp, set the local provider, and download a Hugging Face model. However the package.json and SKILL.md ask for broad filesystem indexing (~/) and network access (huggingface, pnpm, npm registry, and an hf-mirror), which is functionally plausible for a full 'sovereign memory' system but is broad in scope and higher-privilege than many users would expect for a single skill.
Instruction Scope: concernRuntime instructions include writing/appending HEARTBEAT.md into ~/.openclaw/workspace, changing global OpenClaw config (agents.defaults.memorySearch.*), running openclaw gateway restart, and triggering openclaw memory index which will crawl user files. The skill's docs/templating give mixed guidance about symlinks (one file warns 'Do not use symlinks', another encourages creating symlinks to include external directories), which is an internal inconsistency that could dramatically expand what gets indexed. These instructions perform persistent, system-wide changes and can cause broad data collection if allowed.
Install Mechanism: noteThis is instruction-only (no install spec), so nothing is automatically written by a packaged installer. The suggested install uses pnpm to add node-llama-cpp (standard package manager usage) and relies on downloading a model from Hugging Face via the provider path. No arbitrary IP/paste/shortener URLs are present, but package.json lists an additional network entry 'hf-mirror.com' (third-party mirror) — worth verifying the mirror's trustworthiness.
Credentials: concernThe skill declares no required environment variables but the included openclaw manifest requests wide filesystem permissions (~/, ~/.openclaw, etc.) and network access to package/model registries. Indexing the entire home directory is disproportionate for many users because it can include secrets and private data; the manifest attempts to exclude common secret stores (.ssh, .aws, .env, .gnupg) but exclusion lists are error-prone and may miss other sensitive files. The ability to follow symlinks (documented elsewhere) could further expand access.
Persistence & Privilege: concernThe instructions modify global OpenClaw configuration keys (agents.defaults.memorySearch.*), append content to the user's workspace HEARTBEAT.md, restart the gateway, and trigger indexing. Changing global agent defaults and restarting the gateway are system-wide operations that affect other agents and the host environment — this is beyond a purely local skill's internal scope and increases blast radius if misconfigured.