Strategy
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: strategy Version: 1.0.0 The skill declares `requires":{"bins":[]}` in `SKILL.md`, indicating no external binaries are needed. However, `memory-template.md` contains shell commands (`mkdir`, `touch`) within a code block, and `SKILL.md` instructs the agent to "See `memory-template.md` for initial setup." If the OpenClaw agent executes these commands, it contradicts the declared requirements, indicating a potential shell injection vulnerability. While the commands themselves are benign (creating local directories and files for workspace setup), the capability to execute binaries from markdown despite an explicit 'no binaries' declaration is a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive strategy context could remain available in future sessions unless the user reviews, edits, or deletes the local memory file.
The skill intentionally stores strategy context persistently on the user's machine, which is useful for continuity but may retain sensitive business constraints, preferences, or past decisions.
User context persists in `~/strategy/memory.md`. Create on first use.
Use the memory file only for information you are comfortable retaining locally; avoid secrets, periodically review ~/strategy/memory.md, and delete or edit it when context should not persist.