Skillv1.0.0

ClawScan security

Brainhack — ADHD Sidekick · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 5:09 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The package is internally consistent with its stated purpose (an ADHD-focused agent pack for messaging) but it stores personal behavioral/health data and can send proactive messages — review privacy and retention before installing.
Guidance: This skill appears to be what it says — a ready-made ADHD-focused agent pack for Telegram/WhatsApp — but it will store personal and health-related information (e.g., medication timing, emotional states, session transcripts) in the agent's memory files and can send a single proactive re-engagement message after inactivity. Before installing: 1) Confirm where USER.md / MEMORY.md are stored and who has access (are they encrypted/backed up to cloud?), 2) Decide whether you’re comfortable the agent can send outbound messages (cron/heartbeat) and set limits if possible, 3) Avoid entering highly sensitive health or legal information if you’re unsure about retention/policy, 4) If you plan to enable calendar or other integrations (the pack mentions integrations), verify what credentials will be requested and why, and 5) Remember this is not a replacement for professional medical or psychiatric care. If any of these privacy/retention items are unacceptable, ask the publisher for a data-retention/privacy policy or modify configuration to disable memory persistence or proactive messages before use.

Review Dimensions

Purpose & Capability: okName/description (ADHD sidekick, messaging-based) align with the files and the declared requirements: no binaries, no env vars, and no install. The included skills, personas, and knowledge files are coherent with an ADHD-focused conversational agent that runs in Telegram/WhatsApp.
Instruction Scope: noteSKILL.md and the included files instruct the agent to perform onboarding, route messages to specific skills, write session summaries, and accumulate MEMORY.md / USER.md (explicit persistent storage of session context and sensitive fields such as medication status). It also includes a proactive re-engagement behavior ('send one proactive re-engagement message (via cron or heartbeat)' after 7+ days). These behaviors are within the stated scope, but they imply persistent storage and automatic outbound messaging that you should be aware of.
Install Mechanism: okNo install spec and no code files — instruction-only. This is the lowest-risk install model; nothing is downloaded or written by an installer beyond the agent's normal skill install command.
Credentials: noteThe skill requires no environment variables or external credentials, which is proportionate. However, it intentionally collects and persists sensitive user-provided data (ADHD profile, medication timing, emotional state, open tasks, session logs). That is logically related to the purpose but raises privacy considerations because health-related and behavioral data will be stored in agent memory files.
Persistence & Privilege: noteThe skill explicitly instructs writing to USER.md and MEMORY.md and keeping session logs and pattern recognition flags. It does not set always:true. Persistent memory and the ability to send scheduled/proactive messages are legitimate for this use case, but represent additional privilege and persistent presence: review where those files are stored, how long data is retained, and whether outbound messaging is acceptable for your use case.