v0.1.0

Personaldatahub

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:05 AM.

Analysis

This skill is designed for a real personal-data gateway, but it needs review because it can auto-use/create and log API keys, run broad install/start commands, and instruct direct GitHub credential use outside the stated gateway.

GuidanceReview this carefully before installing. Only use it if you trust the PersonalDataHub package and local hub, pin or verify the install commands, avoid logging API keys, check OAuth scopes and hub policies, and clarify whether GitHub access is truly mediated by PersonalDataHub or uses separate agent credentials.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

install: cd ../../ && pnpm install && pnpm build && npx pdh init "OpenClaw Agent" && npx pdh start

The documented install path changes to a parent directory, runs package installation/build steps, invokes an unpinned npx package, and starts a service, despite the registry showing no install spec.

User impactInstalling could execute broader local build/install code than expected and fetch/run package code whose exact version is not pinned.

RecommendationPin the pdh package/version, keep install commands scoped to the skill directory, publish an explicit install spec, and require clear user confirmation before starting services.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

dist/prompts.js

GitHub access is managed via your own credentials ... You do NOT use the `personal_data_pull` tool for GitHub; instead, use your own GitHub tools directly

The skill description and SKILL.md frame Gmail/GitHub access as mediated by PersonalDataHub policy, but the runtime prompt tells the agent to use direct GitHub tools with its own credentials.

User impactA user may expect GitHub issue/PR access to be filtered by the gateway, while the agent may use ambient GitHub permissions outside that boundary.

RecommendationRoute GitHub reads through PersonalDataHub or clearly disclose that GitHub uses separate agent credentials, including exact scopes and user-approval expectations.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

dist/tools.js

name: 'personal_data_pull' ... name: 'personal_data_propose' ... 'The action is staged for owner review — it will NOT execute until the owner approves it in the PersonalDataHub GUI.'

The skill exposes tools that can retrieve personal data and stage outbound email actions. This is central to the stated purpose and the artifacts say actions require owner approval, but it is still high-impact authority.

User impactIf configured broadly, the agent can read sensitive emails or create pending outbound email actions through the hub.

RecommendationReview PersonalDataHub policies, source scopes, result limits, and approval queues before enabling the tools.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

SKILL.md

Starts the server in the background ... npx pdh start

The skill discloses a long-running background PersonalDataHub server. This is purpose-aligned, but it persists beyond a single agent request and handles sensitive connected accounts.

User impactA local service with access to personal-data integrations may remain running after installation or use.

RecommendationDocument how to stop, update, and restrict the service, and ensure it binds only to intended local interfaces with appropriate authentication.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

dist/index.js

const envApiKey = process.env.PDH_API_KEY; ... const creds = readCredentials(); ... const keyResult = await createApiKey(hubUrl, 'OpenClaw Agent'); ... api.logger.info(`PersonalDataHub: Auto-created API key. Save this for your config: ${apiKey}`);

The runtime can obtain an API key from env vars, read local credentials, or create a new key automatically, then logs the generated secret. That API key gates access to personal data and action proposals, while registry metadata says there is no primary credential or env-var requirement.

User impactThe agent may gain access to the PersonalDataHub account and expose the API key in logs, increasing the chance that personal email/GitHub access can be reused outside the intended flow.

RecommendationRequire explicit user-provided credential configuration, declare the env/file credential requirements, require user approval before creating keys, and never print API keys in logs.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

"command": "npx", "args": ["pdh", "mcp"] ... only sources with connected OAuth tokens get tools

The recommended setup routes tool discovery and personal data access through an MCP server connected to OAuth-backed sources. That is expected for this integration, but it makes the MCP server and OAuth policy boundary important.

User impactPersonal data may flow through the local MCP/gateway process, so a misconfigured or untrusted hub could expose more than intended.

RecommendationUse a trusted local PersonalDataHub instance, verify OAuth scopes, and confirm which dynamic MCP tools are registered before use.