Skillv2.0.0

ClawScan security

Soulmatic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 8:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its persona-management purpose, but there are inconsistencies around workspace file deletion, autonomous file writes, and a few implementation/behavior mismatches that warrant caution before installing.
Guidance: This skill is generally coherent for persona management, but review these points before installing: - Inspect and back up your workspace (especially IDENTITY.md, SOUL.md, MEMORY.md, LORE.md) since the skill is designed to read and write those files; configure.py will create/overwrite IDENTITY.md (it does prompt for confirmation when run interactively). - Note the mismatch: SKILL.md says to delete memory/_reanchor.md after re-anchoring, but anchor.sh does not perform deletion. Decide whether you want automatic deletions—if so, modify the script or refuse automatic runs. - configure.py runs interactively and sanitizes inputs, but if invoked non-interactively by the agent it may behave differently; avoid granting the skill unattended execution that could bypass interactive confirmations. - If you add automatic bindings (heartbeat/on_startup), limit their scope and test in a safe workspace to ensure no unintended file mutations occur. - If you need stronger guarantees, run configure.py and anchor.sh manually, verify the generated IDENTITY.md contents, and consider placing your authoritative persona files under version control or a location where accidental deletion/modification is less impactful.

Review Dimensions

Purpose & Capability: okName and description (bind/audit/evolve persona files) align with the included scripts and docs: the skill reads/writes IDENTITY.md and SOUL.md, provides a CLI anchor.sh, and an interactive configure.py that creates IDENTITY.md. No unrelated credentials, binaries, or network endpoints are requested.
Instruction Scope: concernSKILL.md instructs the agent to read/write/delete workspace files (IDENTITY.md, SOUL.md, memory/_reanchor.md, MEMORY.md, LORE.md). These operations are within the skill's stated purpose, but deletion of memory/_reanchor.md is explicitly required by the instructions while the included anchor.sh does not implement deletion (implementation mismatch). The runtime guidance also allows autonomous writes when the agent 'has the tools', which could lead to unprompted modifications if the agent acts without explicit user approval despite the doc's advisory to disclose such writes.
Install Mechanism: okNo install spec; instruction-only plus small helper scripts. There are only two small code files (anchor.sh and configure.py) and docs. Nothing is downloaded or extracted from remote URLs, which minimizes install-time risk.
Credentials: okThe skill requests no credentials or special environment variables. configure.py uses OPENCLAW_WORKSPACE or the current working directory to determine where to write IDENTITY.md — reasonable for a workspace-focused persona tool, but be aware that the resolved path controls where files will be modified.
Persistence & Privilege: notealways is false, and the skill is user-invocable. However skill.yaml declares hooks (on_startup, on_drift). Those hooks imply the platform may run binding/audit actions automatically at session start or on drift; combined with instructions allowing autonomous writes, this increases the potential for automatic modification of workspace files (though no 'always' privilege or unusual platform-level permanence is requested).