Skillv1.0.0

ClawScan security

backup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 5:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (session archive + GitHub/OneDrive backup) matches the instructions in broad strokes, but it omits required credential declarations, includes steps that access and upload sensitive session data, and contains inconsistent guidance about automatic resets and confirmation — worth caution before installing.
Guidance: Before installing or enabling this skill, confirm these points with the author and take precautions: - Credentials and storage: Ask exactly how the GitHub token is provided, stored, and scoped. Do not accept workflows that embed tokens into remote URLs. Prefer using a token stored in a secure env var with minimal repo permissions (only the repo push scope required), or a deploy key with narrowly scoped access. - Explicit consent for resets: Resolve the contradiction between 'ALWAYS ask' and the template's 'automatic reset without confirmation'. Require explicit, per-reset user confirmation if you do not want automatic destructive resets. - Inspect scripts before execution: The skill instructs creation/execution of PowerShell scripts (generate-ai-summary.ps1, backup.ps1). Get the actual script contents and review them for any network calls, credential exfiltration, or commands that modify other system components before running. - Limit data uploaded: Confirm what files will be uploaded. Backing up full raw-history and config files can leak sensitive personal data; prefer selective backups or private repos/storage and encryption at rest. - Run in an isolated environment first: Test the workflow in a disposable user account or VM so resets and file writes cannot affect your primary environment. - Logging and rollback: Ensure the skill records operations in a local log and provides a way to abort or roll back an unintended reset or upload. - Additional info that would raise confidence: (1) explicit declaration of required env vars and how tokens are handled, (2) the exact PowerShell script sources to review, (3) a guarantee that automatic resets are disabled unless explicitly permitted, and (4) guidance that GitHub pushes avoid embedding tokens in URLs and use secure auth methods. If the author cannot provide these assurances and the script contents, treat the skill as high-risk and do not enable it with access to real session data or production environments.

Review Dimensions

Purpose & Capability: concernThe skill claims GitHub/OneDrive backups and session lifecycle management — that logically requires access to session history, local filesystem paths (workspace, OneDrive) and a GitHub token. However the registry metadata lists no required env vars/config paths or binaries. The absence of declared credentials/config requirements is inconsistent with its actual needs.
Instruction Scope: concernSKILL.md instructs the agent to read full session history (via sessions_history or an internal API), write many local files (raw-history, MEMORY.md, config/ files), run PowerShell scripts, and push data to GitHub/OneDrive. The references/templates even include a step that performs '自动重置（无需用户确认）' (automatic reset without user confirmation), which conflicts with the Phase 1/Phase 2 'ALWAYS ask and wait for confirmation' requirement — this is scope creep and an explicit behavioral inconsistency.
Install Mechanism: okThis is an instruction-only skill with no install spec or bundled binaries — low installation risk from third-party code downloads. However runtime instructions create and execute scripts on the host, which moves risk to runtime behavior rather than install-time.
Credentials: concernThe workflow requires sensitive access (session history, config files like SOUL.md/USER.md, local OneDrive directories) and a GitHub token, but the skill metadata does not declare any required environment variables or credentials. Instructions also recommend embedding tokens into Git remote URLs (e.g., https://[TOKEN]@github.com/...), which is insecure and increases risk of token leakage. Requesting broad access to session data is proportionate to backup functionality only if credential handling and user consent are explicit — those are missing.
Persistence & Privilege: concernThe skill is not marked always:true, but it describes autonomous heartbeat-driven checks that can trigger immediate backups and resets. Combined with the ability to read full session histories and push to external services, autonomous invocation amplifies risk. There is also an internal inconsistency about whether automatic reset requires user confirmation, which affects the level of privilege the skill exercises.