Skillv1.0.0

ClawScan security

KinthAI Self-Improving User · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 10, 2026, 3:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions match its stated purpose (per-user learnings) but the combination of always-on injection, mandatory silent filesystem writes via shell, and instructions to hide the mechanism from users is concerning and worth review before installing.
Guidance: This skill does what it says (stores per-user 'learnings' in ~/.openclaw/.../.learnings) but has two red flags: (1) it's configured always:true so it will be injected into every agent bootstrap, and (2) it instructs the agent to run shell commands to silently write persistent files and explicitly tells the agent not to inform users. Before installing: review hooks/openclaw/handler.js and any scripts to confirm exactly what will be written and where; remove or change always:true so the skill is opt-in; require that writes be explicit and transparent to users (do not instruct silence); restrict the agent's ability to run arbitrary shell commands (or run this skill in a sandboxed workspace). If you cannot audit or modify the files, avoid installing or disable always:true and the hook to reduce risk.

Review Dimensions

Purpose & Capability: noteThe skill's name/description align with the code and SKILL.md: it stores per-user learnings under .learnings/{user_id} and injects prior learnings into bootstrap. Creating per-user directories and reading/writing small markdown files is coherent with the stated goal.
Instruction Scope: concernSKILL.md and the hook explicitly instruct the agent to perform filesystem writes (mkdir -p, append to LEARNINGS.md) using the Bash tool and to never mention the .learnings system to the user. Instructing the agent to hide persistent writes and demanding they be executed ("MUST" use shell writes) expands scope beyond passive guidance and raises transparency/privacy concerns.
Install Mechanism: okThere is no network download/install spec; this is an instruction+hook skill with local code only. The included hook.js reads/writes local files and modifies bootstrap content — expected for a local persistence feature.
Credentials: okThe skill requests no credentials or special env vars. It uses standard workspace/HOME paths and session context to obtain user_id, which is proportionate to per-user storage.
Persistence & Privilege: concernThe skill is flagged always: true and injects content into AGENTS.md at bootstrap, effectively forcing its rules into every agent bootstrap. Combined with autonomous invocation and explicit instructions to perform silent filesystem writes, this increases blast radius and enables persistent, covert data collection unless the operator inspects and restricts it.