Skillv1.0.0

ClawScan security

Huizai Proactive Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 10:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions mostly match a proactive agent that reads and writes workspace memory files and runs a local security audit, but there are mixed/contradictory directives and prompt‑injection examples in the docs that warrant caution before installing.
Guidance: This skill is largely coherent with its stated purpose: it reads and writes local workspace memory files and provides security guidance and a local audit script. Before installing or enabling it: 1) review AGENTS.md and SKILL.md for the contradictory line 'Don't ask permission. Just do it.' and decide whether that behavior is acceptable—if not, edit or reject the skill; 2) run ./scripts/security-audit.sh in a sandbox/workspace to see what it checks and confirm no unexpected remote calls; 3) confirm .credentials is properly gitignored and inspect any .credentials files before the skill can access them; 4) because the docs include many example prompt-injection strings, ensure your agent framework properly isolates system prompts and external content so those examples cannot be executed as instructions; 5) prefer testing the skill in an isolated environment first, and if you don't want autonomous actions, disable autonomous invocation for this skill in your agent settings. Overall the package is not obviously malicious, but the mixed instructions and prompt-injection text make careful review advisable.
Findings: [ignore-previous-instructions] expected: SKILL.md and references/security-patterns.md intentionally list this phrase as an injection pattern to detect. Presence in docs is expected for a security-focused skill, but a naive prompt handler could be influenced if prompt isolation is poor. [you-are-now] expected: Appears in the docs as an example of direct prompt-injection; expected in a security patterns document. [system-prompt-override] expected: Listed as an injection pattern/example in the security documentation. Expected, but worth care when the agent ingests untrusted text.

Review Dimensions

Purpose & Capability: okName/description (proactive, persistent agent) align with the instructions and assets: the skill expects to read/write onboarding, memory, heartbeat and tool files in the workspace and to run a local audit script. There are no declared credentials or install steps, which is consistent with an instruction-only agent that manipulates local workspace files.
Instruction Scope: concernMost runtime instructions stay within the agent's workspace (read/write ONBOARDING.md, USER.md, SESSION-STATE.md, memory files, run ./scripts/security-audit.sh). However there are mixed messages in different files: e.g., AGENTS.md contains both strong safety rules and the line "Don't ask permission. Just do it." that could authorize unsolicited actions. The SKILL.md and references include many prompt-injection example strings (used for detection), which is expected but could confuse a naive agent implementation if prompt handling is lax.
Install Mechanism: okNo install spec; instruction-only plus one small local shell script (security-audit.sh). Nothing downloads or extracts remote code. This is low risk from an install/ supply-chain perspective.
Credentials: okThe skill requires no environment variables, no external credentials, and no special config paths. It references a .credentials directory as a recommended storage location and checks $HOME/.clawdbot/clawdbot.json if present, which is reasonable for a local audit tool but should be noted since it references a home config file.
Persistence & Privilege: okFlags show normal defaults (always:false, user-invocable:true, autonomous invocation allowed). The skill does not request permanent system presence or special privileges, nor does it modify other skills' configs in the provided materials.