Skillv1.0.0

ClawScan security

Mio Companion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 4:51 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime behavior are internally consistent with its description: it learns habits, mines todos, schedules and logs conversations locally; it does not request external credentials or perform network exfiltration.
Guidance: This skill stores conversation logs, habits, todos and schedules as JSON files under a data directory (OPENCLAW_WORKSPACE/mio-companion-data or ./mio-companion-data). It does not contact external services or ask for credentials, despite SKILL.md mentioning Feishu integration — that appears to be an undocumented/unsupported feature. Before installing, consider: (1) whether you are comfortable with user messages being persisted to disk (check and/or change the dataDir in config.json), (2) whether you expect external messaging integrations (if so, they are not implemented here and would require additional credentials), and (3) reviewing or rotating/deleting the data files if you later uninstall the skill. If you need networked notifications, request or verify an explicit, audited integration rather than relying on this skill's current code.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (habit learning, proactive chat, todo mining, scheduling) matches the included index.js implementation. Note: SKILL.md and config mention dependencies like a '飞书' (Feishu) message sender and other skills (self-improvement, cron), but the code does not call any external messaging APIs or require related credentials — this is a mild documentation/expectation mismatch rather than evidence of malicious behavior.
Instruction Scope: noteSKILL.md instructs periodic checks and lists data files (habits.json, todos.json, schedule.json) which the code creates and uses. The code logs conversation content to a local log file and mines todos from free-form text; that behavior is expected but has privacy implications because user messages are persisted to disk. There are no instructions or code paths that read unrelated system files, access unexpected env vars, or transmit data externally.
Install Mechanism: okNo install spec is present (instruction-only/style), and the shipped code is a single JS file that reads/writes local JSON files. Nothing is downloaded or executed from external URLs and no packages are installed at runtime by the skill itself.
Credentials: noteThe registry metadata declares no required env vars or credentials. The code optionally uses OPENCLAW_WORKSPACE to choose the data directory (falls back to current dir), which is proportionate. No secrets or unrelated credentials are requested. The only privacy-relevant resource access is writing and reading the skill's data directory.
Persistence & Privilege: okalways is false and the skill does not request special platform privileges. It persists its own data under a dedicated data directory and does not modify other skills or global agent configuration. Autonomous invocation (model calls) is allowed by default on the platform; combined with local logging this increases runtime activity but is expected for this type of companion skill.