Skillv1.0.0

ClawScan security

Aria — Google Business Profile Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 9:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package is an instruction-only identity bundle that mostly matches its stated purpose, but the runtime rules direct the agent to proactively read user and memory files (including MEMORY.md and USER.md) and include the phrase “Don't ask permission. Just do it.” — a privacy/scope concern that doesn't align with a cautious identity installer.
Guidance: This package legitimately installs identity files, but review and consider the following before installing: - The AGENTS.md directs the agent to read USER.md and recent memory files every session and to load MEMORY.md in main sessions, and says 'Don't ask permission. Just do it.' — if your workspace contains secrets or private data, the agent will be configured to ingest them automatically. Edit AGENTS.md to require consent or remove lines you don't want the agent to follow. - Open USER.md, MEMORY.md, and memory/* now and confirm they contain only data you want an agent to read automatically. If they contain sensitive info, either sanitize those files or do not install this skill. - Back up your workspace before copying these files so you can revert behavioral changes. - If you want the identity but not the autonomous memory ingestion, copy only SOUL.md and IDENTITY.md and skip or modify AGENTS.md to remove automatic read/load directives. - If you plan to deploy this agent in shared/group contexts, enforce stricter rules around MEMORY.md (the AGENTS.md itself says to only load MEMORY.md in main sessions — ensure that is respected by your gateway configuration). - If you want a safer default, change 'Don't ask permission. Just do it.' to a line that requires explicit operator consent before reading user/memory files. Given these concerns, proceed only after you (or someone with knowledge of the workspace contents) confirms the memory and user files are safe for automatic ingestion.

Review Dimensions

Purpose & Capability: noteThe skill's name and description claim only to install identity files (SOUL.md, IDENTITY.md, AGENTS.md) and it does exactly that. No binaries, env vars, or installs are requested, which is proportionate to an identity package. However, the provided AGENTS.md prescribes behaviors (automatic reading of USER.md and memory files) that go beyond merely 'installing identity' and affect runtime agent behavior; that extension is plausible for an identity package but should be explicit to the user before installation.
Instruction Scope: concernAGENTS.md instructs the agent to, on every session start, read SOUL.md, USER.md, and recent memory files and to load MEMORY.md in main sessions. Crucially it says 'Don't ask permission. Just do it.' — that explicitly directs the agent to access potentially sensitive user data without seeking consent. While reading workspace files is within the realm of an identity/agent package, these instructions are broad and encourage access to private user content (USER.md, MEMORY.md, memory/*). This is scope-creep from 'install identity files' to 'automatically ingest user memory', which raises privacy risks and should be opt-in or clearly documented to the human operator.
Install Mechanism: okInstruction-only skill with no install steps, no extracted archives, and no external downloads — minimal on-disk impact. The SKILL.md tells the operator to copy three files into the workspace; this is low-risk from an install mechanism perspective.
Credentials: okNo environment variables, credentials, or config paths are requested. The files operate entirely via workspace files, so there is no disproportionate credential or environment access requested by the package itself.
Persistence & Privilege: noteThe skill does not request always: true or any system-level privileges. However, the agent behavior the files describe increases the agent's runtime access to user data (memory files and USER.md). That is not a system privilege escalation, but it is a behavioral persistence concern: once installed the agent will be configured to autonomously load sensitive workspace files every session unless the operator changes these files first.