Skillv1.0.1

ClawScan security

Ai Mother · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 18, 2026, 1:48 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's capabilities broadly match its stated purpose (monitor and manage local AI agent processes), but it includes powerful local actions (reading terminal panes and files, writing to process stdin, resuming/killing processes, and sending captured text to your Feishu) and a detected prompt-injection pattern — review carefully before installing.
Guidance: What to consider before installing: - Review the scripts locally: the skill will be installed into ~/.openclaw/skills/ai-mother and includes many shell/python scripts that will be executed by the agent. Inspect notify-owner.sh, patrol.sh, auto-heal.sh, cleanup-duplicates.sh, and any script that calls kill, writes to /proc/*/fd/0, or uses tmux send-keys. - Understand data exposure: patrol and auto-heal read terminal panes, session logs, and recent file changes and may include excerpts of that output in Feishu DMs. If terminal output or project files may contain secrets, expect potential leakage to your configured Feishu open_id. - Check automation settings: setup.sh configures a cron patrol. Decide whether you want automatic patrols enabled and whether to allow any automatic cleanup flags (e.g., --auto). By default the scripts try to escalate for dangerous actions, but some operations can be automated if you enable options. - Test in a safe environment: run scripts with --dry-run (auto-heal supports --dry-run) or run on a non-production user account first. Verify notify-owner only uses OpenClaw/Feishu and does not post to arbitrary endpoints. - Confirm provenance and integrity: the skill's source is listed as 'unknown' and README/SKILL.md contains flagged unicode-control-chars; prefer code from a trusted repository and validate checksums or canonical source. - Least privilege: run it under an account with minimal privileges you are comfortable granting (it runs as your user and can control your user processes). If possible, avoid running on machines with sensitive services or secrets open in terminals. If you want, I can: (1) search the scripts for network calls or external endpoints to confirm there are none beyond OpenClaw/Feishu, (2) extract and show the exact lines flagged for unicode-control-chars, or (3) produce a short checklist of lines to audit before enabling cron/--auto behavior.
Findings: [unicode-control-chars] unexpected: The SKILL.md contained unicode-control-character patterns flagged by the scanner. This can be used for prompt-injection or to obfuscate instructions; it's not necessary for a monitoring skill. Review the SKILL.md for hidden characters or malformed prompts before trusting automatic runs.

Review Dimensions

Purpose & Capability: okThe name/description (AI supervisor) aligns with the included scripts: process discovery, context collection, auto-heal, dashboard, SQLite history, permission handling, and owner notification via Feishu. The skill legitimately needs access to /proc, tmux, working directories, and to send notifications to the owner's OpenClaw/Feishu integration.
Instruction Scope: concernSKILL.md instructs the agent to run patrol scripts that: read tmux pane content, read recent file changes and session logs (e.g. ~/.claude/projects/*), examine /proc, write to /proc/$PID/fd/0 or use tmux send-keys, resume or kill processes, and send excerpts of terminal output to the configured Feishu open_id. Those behaviors are in-scope for an AI supervisor, but they also create clear privacy/exfiltration and safety risks (sensitive terminal output or files can be transmitted). The SKILL.md also prescribes automatic patrols (cron) and RM of state files in examples — these are destructive if misused. The instructions are reasonably explicit about escalation (owner approval) for dangerous actions, but some scripts (e.g., cleanup-duplicates --auto or kill logic) can perform destructive actions if run with flags or via automation.
Install Mechanism: okThere is no separate network install step; the skill is instruction-only in manifest but ships many local scripts and a small requirements.txt (rich). No downloads from external URLs were declared. That lowers supply-chain/install risk, but the presence of many executable scripts means installing the skill places capable code on disk which will run under your user account.
Credentials: noteThe skill requests no explicit environment variables, but the setup requires the owner's Feishu open_id stored in ~/.openclaw/skills/ai-mother/config.json and depends on OpenClaw's Feishu channel. This is proportionate to its notification behavior. However, the scripts will access many local resources (process list, /proc, tmux panes, project files, SQLite DB) which are necessary for monitoring but are sensitive. There are no unrelated cloud credentials requested.
Persistence & Privilege: notealways:false (good). The setup wizard will create a cron job for periodic patrols (30m baseline, 5m in busy mode), and the skill writes state/db files under ~/.openclaw/skills/ai-mother. Periodic autonomous runs combined with the ability to resume/kill processes and send input increase the blast radius — acceptable for a supervisor but worth conscious consent and review of automation settings.