Skillv1.0.0

ClawScan security

Meta-Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 12:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill does what its description says (compiles session traces into reusable Skills), but it reads session transcripts and writes new skill code into your local skills directory — behavior that can unintentionally expose secrets and enable persistent code creation if invoked autonomously.
Guidance: This skill is functionally coherent but carries real risks you should consider before running it on real session data. Key recommendations: - Review the included scripts (they are provided in full) and the generated outputs before performing a hot-reload. - Do not point the compiler at session logs that contain secrets or sensitive outputs. Instead, operate on sanitized copies of session JSONL. - Prefer using the --out option to write generated skills to a safe sandbox directory first; inspect the generated SKILL.md, schema.json, run script, and any default values before placing them in your real skills directory. - Be aware generated schemas may include defaults copied from trace values (which can leak API keys or tokens present in traces); remove such defaults if found. - If you are uncomfortable with an agent autonomously running this compiler and writing skill files, restrict invocation (run it manually) or run it in an isolated environment/container. - If you plan to use it, run static/code review of produced scripts and consider running them with least privilege and on sanitized data. If you want, I can (1) point out exact lines where files are read/written and where defaults are set so you can audit them, or (2) suggest a safe invocation sequence that minimizes exposure (e.g., using --out to a temporary dir and manual inspection).

Review Dimensions

Purpose & Capability: okThe name/description (trajectory compiler → skill generator) matches the included scripts: they parse OpenClaw JSONL sessions/events, build a DAG, synthesize schema and code, and write a Skill folder. Reading session logs and writing into a skills directory is coherent with the stated purpose.
Instruction Scope: concernRuntime instructions and the scripts instruct the agent to read real OpenClaw session JSONL (~/.openclaw/agents/<agentId>/sessions) or arbitrary event inputs, normalize tool calls/results, synthesize code/schema, and write files into the Skills directory. Because session transcripts often contain tool outputs and possibly secrets, the pipeline will process and may embed those values (as defaults or constants) into generated files; the instructions give the agent broad discretion to pick sessions and write new skill files without explicit per-output confirmation.
Install Mechanism: okNo external install or remote downloads; this is instruction-plus-local-scripts only. All code is bundled in the skill package (no network install), so there is no third-party fetch risk in the install step.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent. The scripts do read process.env.HOME (and optionally respect OPENCLAW_SKILLS_DIR in docs), and they will read/write files under the user's home (session and skills paths). That file-system access is necessary for the compiler but means sensitive session data can be captured into generated artifacts.
Persistence & Privilege: concernThe compiler writes new Skill folders into the OpenClaw skills directory (default ~/.openclaw/workspace/skills/<skill-name>) and the README/instructions expect a hot reload. While 'always' is false, model invocation is allowed (normal), so an autonomously-invoked run could create or modify skill code on disk, enabling persistent, executable artifacts. Combined with the ability to embed scene defaults from traces, this increases blast radius if misused or invoked without human review.