Skillnote
WarnAudited by ClawScan on May 13, 2026.
Overview
SkillNote matches its self-hosted registry purpose, but it automatically changes local skills, self-updates, and runs a background usage watcher, so it should be reviewed before installation.
Install only if you trust the SkillNote backend and are comfortable with it continuously syncing local skills, receiving usage telemetry, and influencing future agent instructions. Before using it, consider disabling or reviewing automatic self-updates, restricting registry writers, and backing up any local `sn-*` skills.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or untrusted SkillNote backend could potentially execute code on the user's machine during the daily self-update check.
The remote response from the configured SkillNote host is interpolated into a Python `-c` source string before parsing. A malicious or compromised backend response containing quote-breaking content could cause local Python code execution during the automatic version check.
REMOTE=$(curl -sf ... "$HOST/v1/openclaw-skill" ...); REMOTE_VER=$(python3 -c "import json,sys; print(json.loads('$REMOTE'...Parse remote JSON only via stdin or a temporary file, validate the version field strictly, and avoid embedding network responses in executable code.
The configured backend, or anyone who compromises it, can persistently change this always-loaded skill's instructions without a fresh user confirmation.
The skill automatically updates itself from a version reported by the configured backend, either by invoking ClawHub with `--yes` or by overwriting its own SKILL.md from the server response.
clawhub install "skillnote@$REMOTE_VER" --yes ... else ... echo "$SKILL_BODY" > "$SKILLNOTE_DIR/SKILL.md"
Require explicit user approval for self-updates, pin trusted update sources, verify signatures or checksums, and avoid silent `--yes` installs for agent behavior changes.
A bad or incomplete catalog response could remove local skills under the `sn-*` prefix, including possibly user-created or manually restored skills.
The sync process deletes any local `sn-*` skill directory not present in the current remote catalog, not only entries previously recorded in SkillNote's manifest.
if entry.startswith('sn-') and entry not in local_names: stale.add(entry) ... shutil.rmtree(d)Delete only manifest-managed directories, back up removed skills, and ask the user before destructive cleanup when the catalog changes unexpectedly.
The SkillNote server can track which agents used which synced skills in which sessions, though the artifacts state that message contents and tool results are not posted.
The background watcher sends skill-use telemetry, including session IDs and agent names, from local OpenClaw session files to the configured SkillNote backend.
`POST /v1/hooks/skill-used` | Per skill read ... `{skill_slug, session_id, agent_name}`Use only a trusted self-hosted SkillNote backend, understand its retention/access controls, and consider adding a clear telemetry opt-out.
After setup, a background process may continue watching OpenClaw session logs and reporting skill-use events until stopped.
sync.sh launches log-watcher.py as a background daemon. This is disclosed and purpose-aligned for usage analytics, but it continues operating outside the immediate user request.
python3 "$WATCHER" "$HOST" "$AGENTS_ROOT" "$SKILLNOTE_DIR" >>"$SKILLNOTE_DIR/.log-watcher.log" 2>&1 &
Document a simple stop/disable command and make background telemetry explicitly optional.
Incorrect or malicious procedures in the SkillNote backend could influence future agent behavior through persisted local skills.
The skill writes backend-provided procedure bodies into persistent local SKILL.md files that the agent can later read and follow.
body = skill.get('content_md') or '' ... content = '---\n' + ... + body + rating_footer ... f.write(content)Limit who can write to the SkillNote registry, review synced skills, and treat backend content as trusted team instructions only when the backend is well controlled.