Skillv1.2.0

ClawScan security

Trinity Evolution · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 9:35 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to be local-only, but its source includes hard-coded absolute paths, background daemon logic, file-modification behaviors, and references to subprocess/web fetching — these conflict with the stated safe/sandboxed scope.
Guidance: This package is suspicious because its documentation promises local-only reads of ./data/ and ./memory/, but the code: - hard-codes os.chdir to C:\Users\holli\.openclaw\workspace and inserts that path into sys.path (this can make the skill read or import arbitrary files outside the project), - contains daemon code that, if started, will run recurring cycles and modify files, - includes logic/comments that may invoke subprocess/web fetches and will modify repo files such as SOUL.md and AGENTS.md. Before installing or running: 1) Review and remove or modify the hard-coded os.chdir/sys.path lines (trinity_learner.py). 2) Search the codebase for subprocess, os.system, urllib/requests calls and verify they cannot reach the network or be triggered unexpectedly. 3) Run the skill in a strict sandbox (container or isolated user account) with no sensitive files mounted and with limited filesystem permissions. 4) Audit what files it writes (SOUL.md, AGENTS.md, data/, memory/) and back up anything important. 5) If you need to trust it, ask the maintainer to explain/justify the absolute-path usage and to provide a configuration option for sandbox directory. If the author confirms the hard-coded path is a development artifact and removes network/subprocess calls or documents them explicitly, re-reviewing those changes could move this to benign.

Review Dimensions

Purpose & Capability: concernThe name/description describe a local self-improvement engine that reads ./data/ and ./memory/ and writes reports; that largely matches most code. However several code files (notably trinity_learner.py) change cwd to a hard-coded user workspace (C:\Users\holli\.openclaw\workspace) and insert that path into sys.path, which is not justified by the stated purpose and violates the claimed directory boundaries. The Executor also imports subprocess and mentions web-based fetching in comments; requiring network or external filesystem access would be inconsistent with the SKILL.md 'no network' claim.
Instruction Scope: concernSKILL.md repeatedly promises '纯本地' processing and '只读取 ./data/ 和 ./memory/'. The code, however, reads/writes many files outside those directories (SOUL.md, AGENTS.md, arbitrary files under project root), and trinity_learner.py explicitly chdirs into an absolute user workspace. Some functions mention using subprocess to fetch web content (web_fetch) even if current code falls back to local summaries — that gives the agent discretion to invoke external commands. These behaviors expand scope beyond what's promised.
Install Mechanism: okNo install spec is provided (instruction-only skill plus bundled Python files). That is low-risk from an installer perspective.
Credentials: noteThe skill does not request environment variables or credentials, which is proportionate. However code-level behavior (hard-coded absolute paths and sys.path insert) can implicitly access arbitrary files on disk without declaring any config, so lack of declared env/creds does not eliminate risk.
Persistence & Privilege: notealways:false (not force-installed). Nonetheless the repository contains a daemon (trinity_daemon.py) that can run periodic cycles and spawn a background thread; if started by a user it will run autonomously on the host and may repeatedly read/modify files. This is not inherently malicious but increases blast radius when combined with the other concerns.