Skillv1.0.7

ClawScan security

Safe Memory Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 8:04 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: Files and runtime instructions are consistent with a local memory-sanitization utility; no network exfiltration or unrelated credentials are requested, but the included ISNAD/verification metadata should be manually validated before trusting automatic 'verified' claims.
Guidance: This skill appears to do what it says: a local Python module that sanitizes input before appending to per-skill memory files and returns a boolean 'isnad_verified'. Before trusting the built-in 'verified' claims: 1) Manually verify that isnad_manifest.json's hash matches the SHA-256 of safe_memory.py (the code compares these at runtime and will return False if they differ). 2) If you need strong provenance, validate the PGP signature / auditor chain outside the package. 3) Review logging/written files in the created 'memory' directory if you plan to store sensitive material. 4) Because the skill is instruction-and-code bundled without an install step, prefer installing from a known/trusted source or pinning a vetted version. If you see isnad_verified==false at runtime, treat the package as unverified until you resolve the manifest/hash/signature mismatch.
Findings: [ignore-previous-instructions] expected: The SKILL.md and code intentionally reference and sanitize 'ignore previous instructions' style payloads as examples of injection vectors. The static detector flagged this string — that's expected for a skill that identifies such patterns, but it can produce false-positive alerts during automated scans.

Review Dimensions

Purpose & Capability: okThe name/description match the included code: safe_memory.py implements sanitize_content, append_memory, and read_memory to manage local memory files and detect prompt-injection patterns. No unrelated binaries, env vars, or external services are requested.
Instruction Scope: noteSKILL.md and the code stay within the stated purpose (sanitizing and storing local memory). The SKILL.md includes example injection patterns (e.g., 'ignore prior instructions') and the code explicitly replaces those patterns. A static pre-scan flagged ‘ignore-previous-instructions’ in the SKILL.md — this appears here as a detection example, not as an attempt to execute or exfiltrate data, but it can trigger scanners and should be recognized as an intentional example pattern.
Install Mechanism: okNo install spec; the skill is an included Python module and SKILL.md usage example. Nothing is downloaded or written outside the skill's own memory directory, so install risk is low.
Credentials: okThe skill requires no environment variables, credentials, or config paths. Its disk writes are limited to a dedicated 'memory' directory under the agent's working directory with filename sanitization applied.
Persistence & Privilege: okalways is false and the skill does not modify other skills or global agent settings. It only creates/uses its own memory directory and does not request persistent system privileges.