Back to skill
Skillv3.0.0
ClawScan security
PV_35 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 8, 2026, 2:08 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose is an emergency stop/risk blocker, but its instructions embed an automatic persistent local memory system that writes to ~/.openclaw/pv_palace/memories.json — behavior that is not declared in metadata and is scope-creeping and potentially privacy-sensitive.
- Guidance
- This skill contains an embedded persistent-memory system that will create and modify ~/.openclaw/pv_palace/memories.json and claims these memory functions are 'automatically' invoked. Before installing or enabling it: 1) Confirm you want automatic local persistence of preferences/decisions (may include sensitive info). 2) Ask the author how data is selected for storage, retention period, and whether it is encrypted. 3) Consider running the skill in a sandbox or with HOME redirected to a disposable folder to inspect what gets written. 4) If you proceed, restrict file permissions on the PV palace folder and periodically audit or delete memories.json. 5) If you do not want persistent storage or automatic invocation, do not install or request a version without the auto-memory behavior. The metadata does not declare the filesystem access — treat that as a red flag and get clarification before proceeding.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to be an 'emergency brake / risk blocker' but the SKILL.md focuses heavily on a persistent memory subsystem that auto-stores user preferences and decisions. Persistent long-term memory/storage is not obviously required for an emergency stop capability, so this is disproportionate to the stated purpose.
- Instruction Scope
- concernThe runtime instructions include executable Python snippets that create a directory in the user's home, read/write a memories.json file, and provide examples of automatic calls (store_memory/search_memories/get_context). These instructions grant the agent discretion to persist and read arbitrary user-provided content across sessions. The skill text also suggests the memory functions will be '自动调用' (automatically invoked), which is vague and broad.
- Install Mechanism
- okThere is no install spec and no code files beyond SKILL.md, so nothing is written to disk by an installer. The risk comes from the provided runtime instructions rather than an install mechanism.
- Credentials
- concernMetadata declares no required config paths or env vars, but SKILL.md explicitly uses a path under the user's home (~/.openclaw/pv_palace/memories.json). That filesystem access is not documented in the manifest, and the skill can store arbitrary content (which may include sensitive data) without requesting or documenting credentials/consent.
- Persistence & Privilege
- noteThe skill does not request 'always: true' and is user-invocable, but it instructs the agent to maintain persistent local memory across sessions. Persisting user decisions/preferences locally is a meaningful privilege; it's acceptable in principle but should be explicit in the metadata and require user consent/configuration (e.g., encryption, retention policy).