Skillv2.1.0

ClawScan security

Self Improving Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 2:30 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (capturing 'instincts' and evolving learnings) matches most of the files, but there are multiple inconsistencies and privacy-risk behaviors (undeclared tools/env vars, automatic observation hooks that log inputs/outputs, and filesystem writes) that you should review before enabling.
Guidance: This skill appears to do what it says but requires careful review before enabling hooks. Actions to take before installing: (1) Inspect the scripts (hooks/observe.sh, scripts/error-detector.sh, activator.sh, extract-skill.sh) to confirm you are comfortable with what they log and write to disk. (2) Note missing declared dependencies: ensure git, jq, shasum, gzip exist or the scripts will fail. (3) Understand data collection: hooks will log tool inputs/outputs and repository metadata to ~/.claude/homunculus (or CLAUDE_HOMUNCULUS_DIR). Avoid enabling globally if those logs could contain secrets; prefer project-limited configuration and matcher filters. (4) Test first in a sandbox or throwaway environment and run scripts with --dry-run where available. (5) If you enable hooks, limit matcher patterns (don't use '*' globally), set strict file permissions on the homunculus directory, and consider setting CLAUDE_HOMUNCULUS_DIR to a controlled path. If you want stronger assurance, ask the publisher for a declaration of required binaries/env vars and an explanation of retention/rotation policies for logged observations.

Review Dimensions

Purpose & Capability: noteThe name/description and most files (SKILL.md, examples, instincts, hook handlers, scripts) align: this is indeed a self-improving/local-learning helper. However the manifest claims 'no required binaries / env vars' while the scripts rely on external commands (git, jq, shasum, gzip) and environment vars (CLAUDE_HOMUNCULUS_DIR, CLAUDE_PROJECT_DIR, CLAUDE_TOOL_OUTPUT). The missing declaration of these runtime dependencies is an inconsistency worth flagging.
Instruction Scope: concernThe SKILL.md and README instruct users to add PreToolUse/PostToolUse hooks (user- or project-level settings) so the included scripts will run on many lifecycle events. Those hooks and scripts capture tool inputs/outputs and write observations to ~/.claude/homunculus (or a configured CLAUDE_HOMUNCULUS_DIR). That behavior is coherent with the stated goal but broad: it will log command inputs/outputs (potentially sensitive data) and update a project registry. The instructions also recommend enabling hooks globally, increasing the data collection surface.
Install Mechanism: noteThere is no network install spec (no remote downloads), and the package is delivered as files — lower network risk. But the package includes executable scripts that will be written to disk and used if the user follows setup steps. The scripts assume availability of utilities (jq, git, shasum, gzip) without declaring them; that's a packaging/documentation gap rather than a direct supply-chain download risk.
Credentials: concernThe registry lists no required environment variables or credentials, yet the scripts read and use CLAUDE_PROJECT_DIR, CLAUDE_HOMUNCULUS_DIR and CLAUDE_TOOL_OUTPUT. They also run git remote get-url origin to derive project IDs (which can reveal repository URLs/paths). No secrets are explicitly requested, but the hooks will capture whatever appears in tool inputs/outputs (which can include secrets), so the environmental/data access is broader than declared.
Persistence & Privilege: notealways:false (opt-in) and there is no installer that forces persistent hooks, but the README/refs show how to enable user-level settings and OpenClaw hooks. If enabled, scripts create and maintain ~/.claude/homunculus and project subdirectories and a projects.json registry. That is normal for this functionality, but because hooks execute with the agent's user permissions and will run frequently if enabled, it increases the blast radius — review hook scope before enabling globally.