Skillv1.0.0

ClawScan security

Justanote · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 6, 2026, 7:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with a local markdown notes manager, but its runtime instructions directly read/write a particular host filesystem path and show unescaped shell command patterns that could allow unintended file access or path traversal if inputs aren't validated.
Guidance: This skill appears to do what it says (manage local markdown notes) and asks for no credentials, but it relies on running shell commands that directly read and write files under a specific workspace path. Before enabling it: 1) Confirm where the notes directory is mapped on your host (the file mentions a mapping to /root/.openclaw/... which could expose host files). 2) Avoid putting secrets in notes. 3) Ensure agent runtime will validate and sanitize user-provided note paths, titles, and search terms (prevent .. path traversal and shell injection). 4) If you are concerned about exposure, test using a disposable or non-sensitive notes directory, or deny autonomous invocation until you review how inputs are escaped. 5) If you want stronger guarantees, request or implement explicit filename/path validation and quoting when the agent runs shell commands.

Purpose & Capability: okName/description match the behavior: it manages markdown notes stored under a specific workspace path. It does not request unrelated credentials or services.
Instruction Scope: concernSKILL.md gives concrete shell commands that read/write files under /home/node/.openclaw/workspace/notes (and notes the host mapping to /root/...). Commands use direct variable substitution (e.g., $NOTES/PATH_TO_NOTE.md, grep with SEARCH_TERM) with no explicit input sanitization. That means a malformed PATH or SEARCH_TERM could allow the agent to read or modify files outside the intended notes tree.
Install Mechanism: okInstruction-only skill with no install spec and no packages downloaded — minimal installation risk.
Credentials: okNo environment variables, credentials, or external config paths are requested. Nothing disproportionate is declared.
Persistence & Privilege: notealways is false and the skill is user-invocable. The skill writes to the agent workspace (persistent across restarts) and the SKILL.md explicitly notes a host mapping to /root/.openclaw/workspace/notes, which may expose host-level files if the workspace is mounted or misconfigured.