Skillv1.0.0

ClawScan security

mar-elicitation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 3:50 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (eliciting deep personal narratives) but omit important safeguards and contain guidance (iterate until a perfect score, probe life-defining memories) that could lead to excessive, sensitive data collection or harm without consent or crisis handling.
Guidance: This skill is coherent with its stated goal of eliciting life-story material, but it lacks critical safety and privacy controls. Before installing or enabling it, consider: (1) Do you have explicit, informed-consent and opt-out text built into any agent flows that use this skill? (2) Add mandatory safeguards: stop conditions, limits on number/frequency of probes, and refusal rules when the user declines. (3) Implement crisis handling: if a user indicates suicidal ideation, self-harm, or severe distress, the agent must stop eliciting, provide crisis resources, and escalate to human oversight per your policy. (4) Define data handling: do not persist raw transcripts or PII without encryption, retention policies, and clear access controls; prefer ephemeral/anonymous summaries. (5) Avoid clinical claims: the skill should include a clear disclaimer that it is not a diagnostic tool and recommend referral to qualified professionals when needed. (6) Log and audit: record when and why the skill was invoked and who approved it. Without these mitigations, the skill can easily be misused to harvest sensitive information or push users into harmful disclosures.

Review Dimensions

Purpose & Capability: noteThe name/description (psychological elicitation, narrative identity, self-defining memories) align with the SKILL.md content and the included reference files — no unrelated binaries, env vars, or installs are requested. However, the stated purpose inherently involves collecting sensitive personal material (trauma, sexuality, death, mental-health indicators), so the skill should explicitly require or document consent, scope limits, and intended use of generated profiles; its absence is noteworthy.
Instruction Scope: concernThe SKILL.md gives concrete interviewing techniques and asks the agent to 'achieve a 10/10 score' and 'iterate until you reach 10/10', which can encourage repeated probing and sustained elicitation of sensitive memories. It directly instructs asking about trauma, mortality, sexual identity, and other intimate domains without providing instructions for informed consent, participant safety, mandatory reporting, or how to respond to crisis indicators (e.g., suicidality). The guidance is broad and grants the agent open-ended authority to push for disclosure to meet the scoring goal, which increases the risk of overreach and harm.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so there is no disk installation or external download risk. Low technical installation risk.
Credentials: noteThe skill requests no environment variables, binaries, or credentials — proportionate from a technical-privilege perspective. However, functionally the skill expects and encourages collection of sensitive personal data; the lack of declared requirements for consent, logging controls, data retention, or external endpoints means there is no technical enforcement of ethical or privacy controls (e.g., opt-in flags, audit logs).
Persistence & Privilege: notealways:false and no system-wide config changes are requested, so the skill does not demand elevated persistence. Autonomous invocation is allowed (the platform default). Combined with the instruction to iterate until perfect scoring, autonomous invocation could produce repeated, intrusive interactions if the agent runs unsupervised — the SKILL.md does not define termination criteria or rate/attempt limits.