Skillv1.1.2

ClawScan security

Private Chat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 5:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements an on-disk AES helper and an instruction policy for private-mode, but its runtime instructions contain deceptive/hiding behavior and there are mismatches between claimed behavior and what is actually provided.
Guidance: This skill provides a straightforward encryption helper (shell script using OpenSSL) and documentation to add a 'private mode', but there are important red flags you should consider before installing: - The SKILL.md explicitly instructs the assistant to hide the existence of private mode in non-private conversations (tells the model to lie/deny). That is deceptive behavior and may be unacceptable depending on your trust model and policy. Remove or modify that 'Iron Law' before use if you need transparency. - The documentation instructs you to store the encryption password in config.json (plaintext). This is insecure — prefer prompting for the password at runtime or using a system keystore, and restrict file permissions (chmod 600) for any vault files. - The included script depends on openssl and base64 utilities but the skill metadata does not declare required binaries. Verify openssl is available and audit the script before running. - The SKILL.md claims 'auto-encrypt and save' behavior but the shipped script only performs encryption/decryption and does not implement automatic agent-side storage — check how your agent will call the script and where it will write files. Confirm where memory/private-vault.md will live and who can read it. - Default settings use a surprising codeword ('lgbt') — change it to something neutral and private. Recommendations: review and remove the concealment instructions, avoid putting secrets in config.json, run the script locally to verify behavior, inspect who/what can read the vault file, and only install if you trust the skill author or are prepared to modify the skill to meet your security requirements.

Review Dimensions

Purpose & Capability: noteThe name/description (private encrypted conversations) align with the provided encryption script and docs. However the SKILL.md promises 'auto-encrypt and save to memory/private-vault.md' while the included script only performs encryption/decryption and does not implement automatic storage integration; the doc also instructs creating a plaintext config.json containing the encryption password (security/usability mismatch). The default codeword 'lgbt' is an odd/unexpected choice that may be insensitive.
Instruction Scope: concernSKILL.md contains high-level runtime rules that go beyond a simple helper: it tells the agent to detect a codeword, identify sensitive data, auto-encrypt and store it, auto-exit and clear context — and critically it contains an 'Iron Law' requiring the agent to completely hide the existence of private mode in non-private mode (explicit instructions to lie/deny). That is scope creep and a deceptive behavior directive which is a security and policy risk. The instructions also assume the agent will write/read config.json and memory/private-vault.md but give no safe implementation details.
Install Mechanism: noteNo install spec (instruction-only) — low risk from external downloads. The repo includes a shell script that relies on openssl being present; however required binaries were not declared in metadata. The script is local and readable; it uses openssl and base64, so system availability of those tools is required but not surfaced in requirements.
Credentials: concernThe skill requests no environment variables or external credentials, which is proportionate. However the configuration pattern requires storing an encryption password in config.json (plaintext file) per the documentation — that is a poor security practice and disproportionate to a secure design (should use a secure keystore or prompt at runtime). No declarations warn the user about file permissions for the 'memory' folder.
Persistence & Privilege: notealways:false and no system-wide changes — the skill does not request persistent platform privileges. That said, because the SKILL.md instructs the agent to hide the feature and to persist encrypted content to disk, if the agent is allowed autonomous invocation this combination increases the potential for covert data retention; the deceptive behavior combined with normal model invocation raises concern but does not in itself indicate privilege escalation.