Skillv1.0.1

ClawScan security

autonomy-gate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 25, 2026, 7:13 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested files and actions are consistent with an autonomy/gating policy: it reads and updates local state and logs and outlines checks before external actions, with no hidden network installs or credential requests, but a few implementation gaps deserve attention.
Guidance: This skill appears to be a coherent local 'autonomy gate' that reads/writes its own state and logs and enforces rules before external actions. Before installing: (1) ensure you control or inspect SOUL.md and any files the skill will read (they influence decisions); (2) confirm where and how outbound messages (Discord/email/heartbeat) are actually sent — ensure connectors/tokens are stored separately and require explicit operator consent; (3) review and restrict any automatic emergency behaviors (6-hour rule) if you do not want autonomous outbound actions; (4) monitor the skill's references/action-log.jsonl and memory files for unexpected entries. If you need stronger guarantees, ask the author to make the approval channel explicit and to require operator confirmation for any external-send operation.

Review Dimensions

Purpose & Capability: okThe name/description (autonomy gate) matches the actual instructions: checking a level, deciding allow/deny, probation rules, logs, and weekly review. The skill requires no external binaries or secrets and only manipulates local state files (references/state.json, references/action-log.jsonl, memory files), which is coherent for a gate/policy checker.
Instruction Scope: noteInstructions explicitly tell the agent to read/write local state and logs, consult a SOUL.md value file, request operator approval for forbidden actions, and send post-action reporting (heartbeat or DM). This is within purpose, but two items to note: (1) SOUL.md is referenced but not included in the package — the skill assumes another file exists; (2) the doc describes outbound actions (DM/email/heartbeat/alerts) and an emergency autonomous behavior after 6 hours of operator silence, which could lead to real external communications depending on available connectors. The SKILL.md does not itself include how credentials/connectors are provided, so there is ambiguity around who actually performs outbound sends.
Install Mechanism: okInstruction-only skill with no install steps and no code files — this is low-risk and consistent with a policy/gating role. Nothing is downloaded or written beyond the declared local state/log files.
Credentials: okNo environment variables, credentials, or config paths are requested. The included references/state.json contains channel IDs and email addresses (expected for a gating policy). Because the skill doesn't ask for external credentials, it cannot itself perform privileged outbound actions — it only documents/controls them, which is proportionate.
Persistence & Privilege: notealways is false and the skill is user-invocable; it writes/updates its own state and logs in the repository (normal). One operational note: the emergency protocol allows the agent to perform certain actions if the operator is unresponsive for 6 hours — combined with the platform's default ability for autonomous invocation and any existing connectors, that could permit outbound activity. This is a behavior property to be aware of, not an intrinsic install-time privilege.