Skillv1.0.0

ClawScan security

Percept Summarize · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 6:23 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description (local meeting summarization) roughly matches its instructions, but the SKILL.md is vague about where summarization runs, what local/remote tooling is invoked, and how data is stored/exposed — leaving room for data exfiltration and unexpected persistent services.
Guidance: This skill's goal (summarize meetings) is plausible but the instructions leave important questions unanswered. Before installing or enabling it, consider: - Confirm where 'OpenClaw' runs: is it a local CLI that stays on your machine or a remote service? Transcripts sent to an external service can expose sensitive meeting content. - Verify percept-listen: this skill depends on another listener to capture audio/transcripts; only enable if you trust that component and know how it captures audio (microphone access, file reads). - Ask for a complete dependency list and install steps (binaries, versions, whether LanceDB is used and where it runs). The metadata currently lists no dependencies but the SKILL.md references several. - Check data storage details: where is the SQLite DB stored, who can access it, and can retention settings (speaker profiles never expire) be changed? Consider limiting retention for sensitive data. - Confirm the dashboard binding: ensure the web UI listens on localhost only (not 0.0.0.0) and is access-controlled if you will run it. - If you need stronger assurances, request source or an install spec from the author (or avoid enabling the skill). Because the skill can autonomously collect and persist conversation transcripts, only enable it in trusted environments and after clarifying the above points.

Review Dimensions

Purpose & Capability: noteThe stated purpose (summarize conversations, extract entities, store searchable notes) aligns with the steps in SKILL.md. However the instructions depend on other components (percept-listen, an 'OpenClaw agent' CLI, LanceDB) that are not declared in the skill metadata (no required binaries, env vars, or install steps). That mismatch is unexpected: a skill that relies on a local CLI and vector DB should declare those dependencies.
Instruction Scope: concernSKILL.md instructs the agent to watch for 60s silence, build speaker-tagged transcripts, send transcripts to an 'OpenClaw' CLI for LLM summarization, run entity resolution (including LanceDB vector search), write results to SQLite (FTS5), and host a dashboard on port 8960. Those actions allow the agent to collect, persist, and serve conversation content and to invoke an external LLM via a CLI — none of which are constrained or fully specified in the instructions, creating scope creep and potential for sensitive data exposure.
Install Mechanism: noteThis is an instruction-only skill with no install spec or code files, which minimizes direct supply-chain risk. However because it assumes external components (OpenClaw CLI, LanceDB, percept-listen) are present, lack of an install spec means it's unclear how or whether those components will be installed or configured, and whether they'll be invoked locally or remotely.
Credentials: concernThe skill declares no required environment variables or credentials, yet it instructs sending transcripts to an 'OpenClaw agent' via CLI and using LanceDB for semantic search. Those operations often require tokens, endpoints, or binaries; their absence from metadata is a proportionality mismatch. Also, speaker profiles are set to 'never expire'—a retention policy that may be disproportionate for many users without explicit consent or access controls.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable (normal). Still, it instructs the agent to persist conversational data locally (SQLite) and expose a dashboard on port 8960. Autonomous invocation combined with persistent storage and an HTTP dashboard increases the practical blast radius if the skill is misconfigured, but the skill does not explicitly request elevated system privileges.