Skillv1.0.0

ClawScan security

Auto Memory Curation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 8:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (automatic memory curation) matches its instructions, but there are notable mismatches and privacy risks — in particular the silent, per-message capture behavior, ambiguous exclusions for secrets, and assumptions about file writes that aren't declared in metadata.
Guidance: This skill generally does what it says (auto-capture and file-based memory curation), but you should be cautious before enabling it: 1) Confirm how and where the skill will store data (exact file paths, access controls, retention policy). 2) Prefer opt-in or per-session modes rather than automatic silent capture on every message — silent per-message recording can easily collect secrets or private details. 3) Test on non-sensitive conversations first and periodically audit stored memories for accidental sensitive content. 4) Ask the author to clarify the mismatch between the SKILL.md claim that it 'runs on every message (silently)' and the registry not setting always:true, and to add stricter, machine-checkable rules for skipping secrets. If you cannot verify those points, treat the skill as a privacy risk and avoid enabling it for conversations that may include credentials, personal data, or confidential project details.

Review Dimensions

Purpose & Capability: noteName/description align with the runtime instructions: the SKILL.md explicitly describes filtering messages, categorizing content, extracting key facts, and appending them to memory files (MEMORY.md, USER.md, memory/YYYY-MM-DD.md, memory/topics/*, tasks.md). This capability set is coherent for an auto-curation skill. Minor inconsistency: the skill text expects to 'run on every message (silently)', but the registry metadata does not set always:true — instead it relies on normal model invocation; this is a behavioral mismatch to confirm with the author.
Instruction Scope: concernInstructions direct the agent to analyze every incoming message and append content to local memory files. Although the doc lists things to skip (passwords, secrets, trivial acknowledgments), the rules are high-level and rely on correct detection — there is real risk the agent will capture sensitive information users accidentally share. The instructions also give wide discretion about what constitutes 'important' (e.g., 'New facts about Vini'), which can lead to over-collection. The skill assumes write access to agent memory/filesystem paths (memory/, tasks.md) without declaring those paths in metadata.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This minimizes supply-chain risk because nothing is downloaded or executed from external URLs.
Credentials: noteNo environment variables, binaries, or external credentials are requested — appropriate for a purely local curation skill. However, SKILL.md references specific file paths (MEMORY.md, memory/..., tasks.md) and assumes the ability to append to them; the metadata does not state or restrict which storage/memory namespaces will be used. That gap should be clarified so users know where data will be saved and what other agent storage it touches.
Persistence & Privilege: concernThe README asserts the skill 'Runs on every message (silently)', implying continuous autonomous invocation and persistent recording of user content. Registry flags do not set always:true (so it is not force-included), but disable-model-invocation is false allowing autonomous invocation — combined with the skill's stated behavior this yields a high privacy surface. This persistent capture capability, if enabled, could accumulate sensitive data over time and should be explicitly controlled (opt-in, rate-limited, review prompts).