Back to skill
Skillv2.0.0
ClawScan security
workspace-organizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 11:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested resources are consistent with a local workspace organiser that creates folders and saves/recovers task memory; it performs only local filesystem operations and requests no credentials or network access.
- Guidance
- This skill appears coherent and local-only: it writes/reads files under your OpenClaw workspace and uses bundled Python/PowerShell scripts. Before installing or running: (1) review the scripts if you want to be certain where files will be written (they target ~/.openclaw/workspace or common AppData paths); (2) run the Python scripts manually the first time to confirm behaviour (they have no network calls); (3) be aware the PowerShell helpers are shipped as .txt and must be renamed to .ps1 to use — only do that if you trust the package; (4) if you rely on automated heartbeat checks, configure scheduling explicitly rather than enabling broad auto-execution. If you want extra assurance, run the package in a test workspace or sandbox first.
Review Dimensions
- Purpose & Capability
- okName/description (organise workspace, save checkpoints, recover sessions) match the included scripts and SKILL.md. The scripts implement creating task folders, writing daily and long-term memory, updating per-task metadata, scanning and presenting recoverable tasks — all coherent with the stated purpose.
- Instruction Scope
- okSKILL.md instructs running bundled Python/PowerShell scripts and operating under a workspace root ('.openclaw/workspace' or output/...). The instructions reference only the included scripts and local workspace paths; they do not instruct reading unrelated system files, network endpoints, or arbitrary environment secrets. Heartbeat functionality is described but requires the user to install/configure scheduling outside the skill.
- Install Mechanism
- okNo install spec or external downloads are used. All code is bundled with the skill. There are no brew/npm/remote fetch steps or archive extraction from untrusted URLs in the package.
- Credentials
- okThe skill requests no environment variables or credentials. Scripts read common location variables (APPDATA, HOME, USERPROFILE) to locate the user workspace directory — this is expected for a local workspace tool and proportional to its function.
- Persistence & Privilege
- okalways:false and no special agent-level persistence is requested. The skill only writes files under the user's workspace (memory files, .task-meta.json) and provides optional PowerShell wrappers; it does not modify other skills or global agent settings.