TASTES.md
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is purpose-aligned, but it deliberately reads memory and adds persistent taste-related instructions, so users should understand that behavior before enabling it.
This skill appears benign and instruction-only. Install it if you want the agent to use memory to learn your aesthetic preferences, but review both the generated TASTES.md and the AGENTS.md section it adds so persistent future behavior matches your expectations.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may review personal historical memory to build a reusable taste profile that can influence future creative outputs.
The skill explicitly mines long-term memory and daily logs to infer aesthetic preferences, then stores distilled constraints in TASTES.md for reuse.
“MEMORY.md — read directly”; “Recent daily logs — read today's and yesterday's memory/YYYY-MM-DD.md”; “Old daily logs via memory_search — most signals hide here.”
Use this only if you are comfortable with the agent searching memory for aesthetic signals, and review the proposed TASTES.md before saving.
Future creative tasks may be influenced by the added aesthetic rules until the AGENTS.md section is removed.
The skill directs the agent to make a persistent change to AGENTS.md so future creative work reads and applies TASTES.md.
“On first activation, check if AGENTS.md contains ## Aesthetic Judgment. If not, append...”
After installation, review the added AGENTS.md section and remove it if you do not want persistent aesthetic guidance.
If the remote SKILL.md changes, a manual reinstall could fetch different instructions than the reviewed artifact.
The documented manual install fetches the skill file from a remote URL. It does not execute downloaded code, but the user still depends on that remote content being trustworthy.
“mkdir -p ~/.openclaw/skills/tastes && curl -fsSL https://tastes.md/SKILL.md -o ~/.openclaw/skills/tastes/SKILL.md”
Inspect the downloaded SKILL.md before use or install from a trusted, versioned source.