Skillv1.1.0

ClawScan security

Self-Improving Human-Resources · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 10:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, scripts, and instructions are consistent with its stated purpose (capturing HR learnings and injecting reminders); it contains local helper scripts and OpenClaw hooks but requests no credentials or unexpected system access.
Guidance: What to check before installing/enabling: - Review the included scripts (scripts/*.sh) and hook handlers (hooks/openclaw/handler.*). They run locally and create or read .learnings/ and ./skills/ files — confirm you're comfortable with that. - Prefer project-level enablement rather than global ~/.claude or user-level settings to limit scope. Do not blindly enable PostToolUse hooks globally because the error detector reads tool output (CLAUDE_TOOL_OUTPUT) and could surface sensitive terms; use matchers or limit to HR-related sessions. - Confirm the recommended git clone URL is from a trusted source (the SKILL.md suggests a repo). If you don't trust the upstream, inspect the files in the skill bundle first rather than cloning remotely. - Keep the scripts executable only when needed and check file permissions. The extract-skill script writes to the current directory; run with --dry-run first to see actions. - The skill warns repeatedly to NEVER log PII; enforce that policy procedurally (anonymization checks) before persisting any user data. Overall, this package appears coherent and appropriate for its HR logging purpose; the main operational risk is the normal prompt-injection surface that hooks provide if enabled broadly — limit hook scope and review code before activation.

Review Dimensions

Purpose & Capability: okName/description (capture HR learnings, log process issues, promote findings) match the included artifacts: templates, .learnings initialization, extract-skill helper, an activator, an error detector, and OpenClaw hook handlers that inject reminders. The code is focused on creating local markdown logs, scaffolding new skills, and adding a virtual bootstrap reminder—all coherent with the stated HR knowledge-capture goal.
Instruction Scope: noteRuntime instructions and scripts operate on local workspace files (.learnings/ and skills/), emit reminders, and scan tool output for HR/compliance keywords. They do not transmit data to external endpoints or require unrelated files. Note: the error-detector reads the CLAUDE_TOOL_OUTPUT env var (tool output) to detect keywords — this can surface potentially sensitive content if you enable PostToolUse hooks. The SKILL.md strongly warns to never log PII.
Install Mechanism: noteThere is no formal install spec; SKILL.md recommends cloning a GitHub repo (a reasonable manual install). The package *does* include executable scripts and hook handlers (not purely instruction-only). That mismatch is not dangerous but worth noting: installing/enabling the hooks grants the skill the ability to inject content into agent sessions, so review the code before enabling. All included scripts operate locally and do not download arbitrary code.
Credentials: okNo required environment variables, no credentials, and no config paths are declared. The only environment access is to CLAUDE_TOOL_OUTPUT inside error-detector.sh (expected for a PostToolUse detector). There are no requests for unrelated secrets or system credentials.
Persistence & Privilege: notealways:false and no automatic persistence of credentials. However, enabling the provided OpenClaw hooks (agent:bootstrap, UserPromptSubmit, PostToolUse) gives the skill the ability to inject reminders/virtual files into every affected agent session. This is expected for a hook-style skill but is a behavioral privilege: enable at project scope rather than globally unless you reviewed and trust the code.