Skillv1.0.2

ClawScan security

Heleni Best Practices · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 2, 2026, 8:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match its stated purpose (daily sync of the Heleni PA-skills pages) but contain minor inconsistencies and implicit assumptions about file access and tools that are not declared in the metadata.
Guidance: This skill appears to do what it says — check a public Heleni page and a public GitHub skills folder and log differences — but there are a few things to confirm before installing: - Confirm you are comfortable with the skill reading and writing files under the agent workspace ($WORKSPACE/data and .learnings) and creating a state file; these paths are not declared in the metadata. - Resolve the ambiguity about automatic changes: the doc both says it will 'apply' lessons and also says to 'Always ask before' modifying SOUL.md/HOT.md. If you want human approval for edits, ensure the skill is configured to prompt the owner rather than auto-apply. - The skill uses curl/python3 and refers to a 'web_fetch' tool; ensure those tools exist in your agent environment. - If you expect heavy GitHub usage, consider providing a GITHUB_TOKEN (not currently declared) to avoid rate limits; do not provide tokens unless you trust the behavior. - Because the skill can run daily (cron entry provided) and can be invoked autonomously, verify the delivery/notification settings (it claims 'silent' by default) and whether you want automatic scheduling enabled. If these points are acceptable or clarified (especially the file-write behavior and the ask-before-modify policy), the skill is coherent. If you need stricter guarantees, request the SKILL.md be updated to declare workspace/config paths and to remove the ambiguous wording about automatic edits.

Review Dimensions

Purpose & Capability: noteName/description match the runtime steps (fetch learn.html and skills list, diff, extract lessons). However the SKILL.md reads/writes $WORKSPACE/data and .learnings paths and uses /tmp — these config paths are not declared in the skill metadata. The doc also references a 'web_fetch' tool in Step 3 in addition to curl, which assumes the agent has that tool available.
Instruction Scope: noteInstructions are explicit about fetching pages, comparing state, extracting lessons and reporting. They write files to /tmp and the agent workspace and may fetch SKILL.md files from the public GitHub repo. There is an ambiguity: the top-level 'What It Does' says it 'applies relevant lessons to this agent's own SOUL.md / AGENTS.md / HOT.md', but a later table and Step 4 say the agent must 'Always ask before' modifying SOUL.md or HOT.md. That conflict should be resolved before trusting autonomous runs.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest install risk. It relies on standard CLI tools (curl, python3) and agent tooling; nothing is downloaded or executed from arbitrary URLs by an installer.
Credentials: noteThe skill requests no credentials or env vars (appropriate for a public-site sync). It implicitly assumes write access to $WORKSPACE and creation of .learnings and a state file. It may call the GitHub API anonymously (rate-limited); the SKILL.md does not declare an optional GITHUB_TOKEN if the operator wants authenticated requests.
Persistence & Privilege: okalways:false (no forced presence). The skill schedules a daily cron-like job in its spec but does not claim ability to modify other skills or system-wide agent settings. It does write its own state and logs in the agent workspace, which is consistent with its purpose.