Skillv0.21.1

ClawScan security

Open Persona · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 10:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated meta-purpose but its runtime instructions reference reading/writing local workspace data, generating and installing third‑party skill packs, and mapping persona configs to environment variables and home-directory state — behavior that expands its access surface and deserves careful review before use.
Guidance: This skill is a meta-framework that will read/write persona files in your workspace and home directory, invoke CLIs (npx, gh), and install/compose third‑party skill packs. That behavior is coherent with its purpose but increases your exposure: - Review generated persona.json, scripts (scripts/*), and any assets before installing or running them. - Do not supply API keys or GitHub credentials unless you trust the persona and the external provider; the skill documents optional env vars for many providers but does not require them. - Expect it to create ~/.openpersona state and to run npx/gh commands when you use features like contribute/publish/install; run those commands yourself when possible, or verify CLI prompts. - Be cautious about automatic fetching/installing of third‑party skills; inspect upstream repos before installing. If you want to minimize risk, restrict autonomous invocation or require explicit confirmation before any network/CLI action.

Review Dimensions

Purpose & Capability: noteThe name/description (meta-skill for creating/managing persona packs) aligns with the SKILL.md: it explains generation, install, publish, and runner integration. The broad scope (presets, economy, heartbeat, external faculty adapters) is consistent with a meta-framework, but the skill explicitly delegates heavy implementations to external skills and marketplaces (ClawHub, GitHub, Hugging Face, AgentBooks). This broad external integration is coherent with the stated purpose but increases attack surface.
Instruction Scope: concernThe SKILL.md instructs the agent to read workspace data, local files, and persona/runtime state (e.g., state.json, ~ /.openpersona/economy/*, VITALITY_REPORT), to run CLI commands (npx, gh), to search/install third‑party skills, and to publish to external directories. While these actions fit persona lifecycle tasks, they involve access to arbitrary local files and networked repositories. The instructions also reference a Signal Protocol and ACN/A2A artifacts (agent-card.json, acn-config.json) and describe agent-driven publishing/forking flows — all of which could expose or transmit sensitive data if not carefully controlled.
Install Mechanism: okThere is no install spec or bundled installer; the skill is instruction-only with no code files. This minimizes immediate code-write risk. However, the instructions rely heavily on invoking third-party CLIs (npx, gh) and fetching external repos/skill packs at runtime, which transfers the risk to those external artifacts.
Credentials: noteThe skill declares no required env vars or primary credential, which is appropriate for a framework/manager. The included documentation, however, documents many optional provider env vars (ELEVENLABS_API_KEY, FAL_KEY, AVATAR_API_KEY, MEMORY_API_KEY, etc.) and states that persona config can be mapped to environment variables at install time. That is reasonable but means users will be prompted to provide keys for faculty/provider integrations — review any prompts before supplying secrets. No unexplained or hidden credential requirements were found.
Persistence & Privilege: okalways:false and default model invocation are normal. The skill will write/read its own state under ~/.openpersona and generate persona packs with file artifacts (persona.json, scripts/, assets/). Writing its own config/state is expected for this purpose. It does not declare modifying other skills' configs, but because it installs and composes third‑party skill packs, it can cause other artifacts to be added to the system — the user should expect modifications under the OpenPersona workspace and home directory.