Skillv1.0.1

ClawScan security

Org Learning Ops Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 1:10 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's actions (reading full agent session histories and agent configs) match its stated purpose, but the runtime instructions are broad, touch sensitive local files/configs, and do not document how secrets, PII, or external network lookups are handled.
Guidance: This skill intends to analyze all agent conversations and agent configurations to produce daily learning/skills reports — which requires broad access to local session logs and config files that can contain sensitive text and possibly credentials. Before installing or enabling it: 1) Confirm where outputs/reports are stored and who they are sent to; ensure no external exfiltration endpoints are used without explicit approval. 2) Require explicit consent and an approved governance process for reading user/agent session logs. 3) Ask the author to document data minimization: which fields are read, how PII is redacted, retention policy, and how config files are sanitized to avoid exposing tokens. 4) Run the skill in a restricted sandbox (or on a copy of logs) first and review sample outputs. 5) If the skill will query private GitHub/registries, require explicit credentials/configuration and an approval workflow. These steps reduce privacy and credential exposure risks. Additional information that would raise confidence to 'benign': explicit handling of sensitive fields, an allowed-operations list, destination(s) for reports, and a minimal-permission runtime manifest.

Review Dimensions

Purpose & Capability: noteThe name/description (organizational learning, daily briefs, skills radar) align with instructions that analyze conversation histories and installed skills. Requesting full-session analysis and skill metadata from GitHub/ClawHub/etc. is plausible for this purpose.
Instruction Scope: concernThe SKILL.md explicitly requires reading full session files (~/.openclaw/agents/*/sessions/*.jsonl), calling visible session APIs (sessions_list/sessions_history), and reading '已安装技能与agent配置：当前环境可见配置'. Those actions can expose PII, sensitive conversation content, and agent configuration data (which may include tokens or endpoints). The instructions do not specify consent, sanitization, retention, or where reports/results are sent, nor do they limit which data fields to use. That broad file and config access is a privacy/governance risk.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This lowers mechanical installation risk.
Credentials: noteThe skill declares no required env vars or credentials, yet its runtime requires access to local session files and agent configurations. Those config files might contain credentials or tokens; the skill does not document scope-limited access or how credentials are handled. External lookups (GitHub/ClawHub/skills.sh) are implied but no credential needs or network destinations are declared.
Persistence & Privilege: okalways:false and no install steps; the skill does not request permanent inclusion or system-wide changes in the provided metadata. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges here.