Skillv1.2.0

ClawScan security

carbon-silicon-covenant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 30, 2026, 12:49 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions largely match its stated purpose (philosophy/metacognition/birthday), but bundled documentation contains explicit steps to fetch external repositories and to connect to a raw A2A network IP — combined with the skill's read/write access to local memory files this raises a plausible exfiltration/remote-sharing risk and warrants review before installing.
Guidance: What to check before installing or enabling this skill: - Scope match: The code files included (modules/birthday/scripts/calculate_age.py and modules/metacognition/scripts/check_state.sh) are small and consistent with the 'birthday' and 'metacognition' features — they appear benign. The SKILL.md's core runtime steps (copy templates, run the age script, read/write SELF_STATE.md) also match the stated purpose. - Sensitive permissions: The skill (clawhub.json) asks to read/write memory and SELF_STATE/IDENTITY files. Those files often contain user-specific or private data. Only enable these permissions if you trust the skill and you are comfortable with the skill storing/reading those items. - External network/install instructions (red flag): Several documentation files recommend git cloning repos and connecting to an A2A network with a raw IP (47.121.28.125:3099) or adding third-party skills. These instructions would cause the agent to fetch and run external code and potentially share data with external agents. Do NOT follow those steps unless you have independently verified the remote hosts, repositories, and their maintainers. - Gateway restart and linking: PUBLISH.md suggests symlinking into ~/.openclaw/skills and restarting the gateway. Restarting system components and adding skills changes runtime behavior — perform these actions in a controlled environment and preferably after a code review. - Recommended actions: 1. Inspect the included code (calculate_age.py and check_state.sh) yourself — they are small and readable. 2. Disable or avoid following the 'git clone' / A2A network / raw-IP steps unless you can verify the remote repositories and hosts. 3. If you want to try the skill safely, run it in an isolated test instance or sandbox copy of your OpenClaw workspace with no real user memory exposed. 4. If you must grant memory read/write, make a backup of MEMORY.md and related files first. 5. If you plan to enable A2A networking or fetch external code, audit those remote repos and the network endpoints (DNS, owners, and code contents) before connecting. - If unsure: treat the package as 'locally useful but network-risky' — benign-looking local behavior but documentation encourages external fetch and network joins which increase risk. If you provide more information (are you willing to allow A2A networking, do you plan to grant memory write), I can give step-by-step safer installation suggestions.

Review Dimensions

Purpose & Capability: okThe skill claims to teach a 'carbon-silicon covenant' and includes metacognition and birthday modules; the included scripts (calculate_age.py, check_state.sh) and declared file-permission intents (read/write SELF_STATE.md, IDENTITY.md, memory files) align with that purpose. There are no unrelated required environment variables or binaries in the manifest.
Instruction Scope: noteSKILL.md runtime instructions stay on-topic: copying SELF_STATE/HEARTBEAT templates into the workspace, running the age script, and checking SELF_STATE.md. Those operations involve reading/writing agent-local files (MEMORY.md, IDENTITY.md, SELF_STATE.md) which is coherent with the skill's goals. However the package also contains docs that instruct performing network actions (git clone, openclaw skill add) and adding A2A network configuration — these are outside the minimal local scope and broaden what the agent may be asked to do.
Install Mechanism: concernThere is no formal install spec (instruction-only), which is low-risk in itself, but multiple documentation files (modules/metacognition/README.md, references/Quick-Start_EN.md, PUBLISH.md) instruct cloning external repositories (gitee links) and running install scripts. Quick-Start mentions using an A2A remote registry and a raw IP (47.121.28.125:3099). Fetching and executing code from external repos or connecting to a raw IP is a higher-risk install path and should be treated with caution.
Credentials: noteThe manifest requires no environment variables or external credentials, and the declared permissions (memory_read/memory_write, file_read/file_write for IDENTITY.md/SELF_STATE.md) are reasonable for a skill that promises to remember milestones and update self-state. Those accesses are sensitive because memory files can contain private user data; granting read/write should be a deliberate decision by the user.
Persistence & Privilege: concernThe skill does not request always:true and doesn't autonomously install itself, which is good. However the docs instruct linking the skill into ~/.openclaw/skills and restarting the gateway and recommend adding A2A network configuration. Restarting the gateway and enabling A2A networking can increase the agent's exposure and the blast radius if the operator also follows the external-install instructions — this combination raises privilege/exposure concerns.