Back to skill
Skillv1.0.0
ClawScan security
Ai Trainer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 5, 2026, 3:44 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (autonomously learning from docs and updating system memory/rules) matches its instructions, but it is granted broad abilities to fetch external sites, run local commands, and automatically modify AGENTS.md and MEMORY.md — a combination that could be misused without guardrails.
- Guidance
- This skill is coherent with its stated goal, but it has the authority to fetch arbitrary web content, run local commands, and automatically edit core workspace files (MEMORY.md and AGENTS.md). Before installing, consider these mitigations: require explicit user approval before any large recursive fetches; restrict or review all edits to AGENTS.md and MEMORY.md (e.g., run in a sandbox or present diffs for confirmation); disable or tightly scope the 'exec' tool so it cannot read arbitrary files or environment variables; log and review web_fetch targets and outputs; take backups/snapshots of MEMORY.md and AGENTS.md so you can revert unwanted changes. If you cannot enforce these controls, treat the skill as high-risk and avoid granting it autonomous write privileges.
Review Dimensions
- Purpose & Capability
- okThe name and description match the skill's instructions: fetching documentation, summarizing, and writing to MEMORY.md and AGENTS.md are coherent with an 'AI Trainer' role. No unrelated environment variables, binaries, or installs are requested.
- Instruction Scope
- concernSKILL.md instructs recursive 'deep web fetching', knowledge distillation, and automatic updates to AGENTS.md and MEMORY.md. While these align with the purpose, they grant the agent wide discretion to pull arbitrary external content and to modify core workspace files. The guidance to avoid logging secrets is present but unenforceable in an instruction-only spec.
- Install Mechanism
- okNo install spec or code files are present; this is instruction-only, which minimizes disk-level supply-chain risk.
- Credentials
- noteThe skill declares no required env vars or credentials (proportionate). However, SKILL.md allows use of 'exec' to verify local environment, which could be used to read environment variables or local files at runtime even though none are declared — this is a potential escalation path if the exec tool is unrestricted.
- Persistence & Privilege
- concernThe skill is allowed to autonomously update persistent system artifacts (MEMORY.md and AGENTS.md). Persisting automated edits to agent rules and long-term memory is powerful and can change agent behavior long-term; without review controls this is risky. The skill is not set to always:true, but autonomous invocation plus write access is still a meaningful privilege.