Skillv1.0.2

ClawScan security

AGI数字伙伴 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 5, 2026, 3:37 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill largely implements what it claims (an AGI evolution agent) but includes powerful local tools (arbitrary shell executor, file ops, process manager, daemon modules) and a small mismatch in dependency claims, which increases risk and warrants cautious review before installing or allowing autonomous use.
Guidance: This skill appears to implement the AGI 'double-loop' model it claims, but it also ships local CLI tools that can run arbitrary shell commands, read/write/delete files, and kill processes. Before installing or enabling autonomous use: 1) Review the specific scripts you plan to use (especially scripts/cli_executor.py, cli_file_operations.py, cli_process_manager.py and any daemon modules). 2) Run the skill in a sandboxed environment (container or VM) and with least privilege (do not run as root). 3) If you will expose it as a service, note the AGPL-3.0 license requirement to publish source for networked services. 4) If you allow autonomous invocation, add explicit safeguards: restrict which CLI actions the agent may call, require explicit user confirmation for destructive operations (delete/kill), and avoid enabling background daemons unless you understand their behavior. 5) Verify whether the optional C extension (personality_core.so) is present and inspect it before loading. These steps will reduce the risk of accidental data loss or unintended system access.

Review Dimensions

Purpose & Capability: noteName/description (AGI evolution model) match the included code: many modules for intentionality, memory, metacognition, personality, and an explicit 'CLI toolbox' is documented. However SKILL.md claims '仅使用Python标准库' while dependency lists aiofiles>=23.0.0 and an optional C extension is referenced — minor inconsistency. The presence of CLI command-executor, file-ops, and process-management modules is explainable by the 'Tool Use/CLI工具箱' claim, so capability inclusion is coherent but high-privilege.
Instruction Scope: concernRuntime instructions call many local scripts and instruct creating ./agi_memory and running scripts that read, write, search, move, delete files, inspect /proc, get system/network info, execute arbitrary shell commands (via scripts/cli_executor.py). Those scripts are capable of deleting files, moving/copying entire trees, killing processes, and running arbitrary commands — the SKILL.md does not sufficiently constrain usage or provide safe defaults. The external-ring description (collecting 'system internal' intentionality data) and presence of daemon modules imply background data collection potential. This broad scope raises risk of accidental or authorized exfiltration/modification of system data if misused.
Install Mechanism: okNo external install spec or remote download; the skill is instruction-only for installation but ships many code files as part of the bundle. No network fetches or archive extraction steps in the manifest were shown, which lowers installer risk. The optional C extension is referenced but not an external fetch in SKILL.md.
Credentials: noteThe skill declares no required env vars or credentials (proportionate). However the cli_executor accepts arbitrary environment variable injection at runtime and many scripts read system files (e.g., /proc, ifconfig). No secrets are requested, but the toolset permits access to sensitive local data if invoked with paths or commands that expose them.
Persistence & Privilege: notealways:false (not force-included). The codebase includes daemon-like modules (intentionality_daemon, regulators) that could be used to run background tasks if started, but SKILL.md does not instruct automatic persistent installation. Allowing autonomous agent invocation combined with these powerful tools increases blast radius — worth restricting or reviewing how/when daemons are started.