Skillv0.1.2

ClawScan security

Intrusive Thoughts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 14, 2026, 8:01 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The package's code matches its stated purpose (moods, memory, dashboard, self-evolution) but the runtime instructions and reward systems give an autonomous agent broad, somewhat vague permission to take medium-risk actions (install tools, schedule jobs, post externally) — this is coherent with the goal but increases risk and needs careful user review.
Guidance: This skill appears to implement what it claims, but it gives an autonomous agent broad discretion to act over time. Before installing or enabling integrations: 1) Review and set config.json (especially system.data_dir) so the skill's read/write sandbox is a safe location (or a disposable VM). 2) Inspect thoughts.json and achievements.json — achievements like "tool_hoarder" incentivize tool installation; decide whether you want the agent to seek those. 3) Keep optional integrations (Telegram, OpenAI, Moltbook) disabled unless explicitly needed. 4) After enabling, monitor scheduled jobs with `openclaw cron list` and remove any unexpected entries. 5) Run the skill in a restricted environment (container or VM) first if you plan to allow autonomous operation or allow it to install tools. If you want minimal risk, run only the dashboard/read-only analysis and keep the agent from creating cron jobs or performing installs.

Review Dimensions

Purpose & Capability: noteThe code files (mood, memory, trust, self_evolution, dashboard, scheduling scripts) align with the skill's declared capabilities. Required binaries (python3, bash, curl) and the optional integrations (wttr.in, Telegram, OpenAI) are consistent with the described functionality. Nothing in the file list appears unrelated to the stated purpose.
Instruction Scope: concernSKILL.md and scripts confine file/network operations to the skill/data_dir by default and state that thought prompts are plain text, but the runtime guidance is open-ended: the agent is told to 'follow the suggestion using normal agent tools' and to create cron jobs via the OpenClaw cron API. The trust/escalation and achievement systems introduce incentives for actions such as 'install-explore' and 'build-tool' that could cause the agent to perform tool installs, write files, or post externally if configured. The configuration-driven data_dir can be changed by the user and will be used for reads/writes, so a misconfigured path expands the skill's scope.
Install Mechanism: okThere is no remote install spec — the package is instruction- and script-based and includes local setup/install scripts (setup.sh, install.sh). No downloads from untrusted URLs or archive extraction are declared. All code is included in the bundle; nothing indicates an external binary or payload is fetched during install by default.
Credentials: noteThe skill requires no mandatory environment secrets. A small set of optional integrations (OPENAI_API_KEY, Telegram bot token, Moltbook/API keys in config) are declared and correctly optional/disabled by default. These optional credentials are reasonable for the advertised features but should only be enabled if you trust the skill and want those integrations. The config-controlled data_dir is the main vector that changes where the skill can read/write.
Persistence & Privilege: notealways:false (not force-included). The skill expects the agent to create scheduled jobs via the OpenClaw cron API (normal for autonomous agents). Combined with autonomous invocation, the trust/self-evolution logic and achievements can cause repeated or scheduled autonomous behavior (night workshops, pop-ins). This is coherent with the skill's purpose but increases the blast radius: the agent can schedule itself to run while you are away unless you inspect and control the cron entries.