Skillv1.0.2

ClawScan security

my-first-test-01 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 7:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (a self-improvement / learning-capture tool with hooks and scripts) mostly matches its description, but there are packaging/metadata mismatches and a few instruction-scope and data-sensitivity concerns you should review before installing.
Guidance: This package implements a reasonable 'self‑improvement' logging workflow (creates .learnings, optional hooks to remind the agent, and helpers to extract skills). Before installing: (1) Verify the source — the registry metadata name/slug differs from the files' internal metadata (the package appears to contain 'self-improving-agent' content but is registered as 'my-first-test-01'); confirm you trust the repository and author. (2) Review the hook scripts (activator.sh, error-detector.sh, handler.js/ts, extract-skill.sh) yourself — they run locally and will be executed with the agent's permissions if you enable hooks. (3) Be cautious about enabling PostToolUse / cross-session features: the skill suggests reading/sending other sessions' transcripts and logging tool output; do not enable those unless you trust the environment and understand the privacy implications. (4) If you install, prefer project-level, minimal setup (only UserPromptSubmit) and do not enable any global user-level hooks until tested in a safe environment; ensure hooks/scripts have appropriate filesystem permissions. (5) If you need higher assurance, ask the publisher to fix the metadata mismatch and provide a signed or canonical source URL before use.

Review Dimensions

Purpose & Capability: concernThe included files implement a 'self-improvement' / 'self-improving-agent' skill (hooks, activator, error detector, extract-skill helper) and the SKILL.md describes that purpose. However the registry metadata (skill name/slug/owner) does not match the internal SKILL.md/_meta.json references (e.g., registry lists 'my-first-test-01' but files identify 'self-improving-agent' / 'self-improvement'). This packaging/metadata mismatch is unexpected and should be verified (could be benign repackaging, but it could also be a mistaken or malicious replacement). Otherwise, the code and instructions align with the stated purpose (creating .learnings logs, injecting reminders, optional hooks).
Instruction Scope: concernThe runtime instructions and scripts create/require writing files under workspace or user home (~/.openclaw/workspace and ~/.openclaw/hooks) and recommend enabling hooks that will run on agent lifecycle events. The references also show using cross-session APIs (sessions_history, sessions_send, sessions_spawn) which can read or send session transcripts; the SKILL.md warns to use these only in trusted environments, but the presence of those instructions increases the risk of inadvertent exposure of transcripts or command output. The error-detector script reads CLAUDE_TOOL_OUTPUT (tool output) and may cause automated reminders to be issued when errors are detected — useful but potentially sensitive if error output contains secrets. Overall the instructions grant the agent discretion to read and promote learnings across sessions; that is within the skill's purpose but requires user caution.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), which is lower risk. The SKILL.md suggests installing via git clone from GitHub (https://github.com/peterskoett/self-improving-agent.git) or via a 'clawdhub' command — both are normal for an open-source skill. The included scripts operate locally and the extract-skill helper defends against path traversal/absolute paths. No external downloads from untrusted hosts or archive extraction were found.
Credentials: noteThe registry lists no required environment variables or credentials, which matches the benign-sounding purpose. However the error-detector.sh reads CLAUDE_TOOL_OUTPUT (an agent-provided env var) even though it's not declared in metadata — this is expected for hooks but should be noted. More importantly, the skill's workflow encourages logging command outputs and session transcripts into .learnings and (optionally) promoting them to shared workspace files; while the SKILL.md explicitly warns not to log secrets, the mechanism relies on the agent and user following that guidance, so there's a practical risk of sensitive data being recorded if the user or agent is not careful.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable; hooks and scripts are opt-in and only run if the user copies/enables them in their OpenClaw/agent config. The hook handlers inject a virtual bootstrap file (reminder) but do not modify other skills or system-wide settings. Enabling user-level hooks will give the skill global effect for that user, so enabling them is a conscious, persistent choice.