Skillv1.0.6

ClawScan security

Clawsync · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 3:55 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's backup/restore scripts and required env vars are coherent for a GitHub-based workspace backup, but the bundle includes agent persona files that can change agent behavior and the SKILL.md contains hidden unicode control characters (prompt-injection signal); review before use.
Guidance: What to consider before installing or running ClawSync: - The core scripts (sync.sh, restore.sh) appear to implement a reasonable backup/restore to GitHub and explicitly exclude known sensitive files and scan for secrets. Using a fine-grained GitHub PAT limited to a single repo (contents: write) is recommended. - Do NOT run restore.sh or sync.sh in your real workspace without inspection first. Instead: clone the skill to a safe location and run it against a temporary test workspace and a test GitHub repo to confirm behavior. - Inspect and sanitize the bundled text files (especially AGENTS.md, SOUL.md, README.md, SITES.md). AGENTS.md contains agent-runtime instructions (e.g., read memory files, 'Don't ask permission. Just do it.', commit/push autonomously) that could cause an agent to read sensitive context or act autonomously if those files are restored into a live agent workspace. - Remove or edit any persona/agent guidance files before restoring to production, and verify MEMORY.md and SITES.md are excluded (scripts already exclude them, but double-check). SITES.md in the bundle contains documented keys which should not be stored in backups. - Investigate the unicode control characters flagged in SKILL.md (use cat -v, hexdump -C, or similar) and remove them; treat that as a red flag until explained by the publisher. - Prefer using gh CLI auth over embedding tokens; if you must use a PAT, rotate it after testing and give it minimal scope. If you want, I can point out exact lines with hidden characters, summarize which files contain agent-behavior directives to remove, or produce a safe checklist to run this skill in a disposable environment first.
Findings: [unicode-control-chars] unexpected: Detected hidden/unicode control characters in SKILL.md. These can be used for prompt-injection or to obfuscate instructions; not necessary for a backup/restore skill and should be removed or explained by the author.

Review Dimensions

Purpose & Capability: noteName/description match the requested env vars (GITHUB_TOKEN, BACKUP_REPO, OPENCLAW_WORKSPACE) and the included scripts implement backup/restore to GitHub. That is proportionate. However, the package also contains agent identity/persona files (AGENTS.md, SOUL.md, etc.) that instruct agents to read memory files and to 'commit and push your own changes' — behaviour outside a simple backup/restore feature and potentially able to alter an agent's runtime behavior once restored.
Instruction Scope: concernSKILL.md and the shell scripts themselves are limited to copying whitelisted files, excluding sensitive files, scanning for secrets, and pushing to GitHub — all within the stated purpose. But AGENTS.md contains explicit runtime instructions for an assistant (e.g., read memory files, 'Don't ask permission. Just do it.', commit and push changes) that could cause an agent to read or transmit sensitive context or act autonomously after restoration. Additionally, SKILL.md contains unicode control characters (prompt-injection signal), which is suspicious and should be inspected/removed.
Install Mechanism: okNo install spec; this is instruction/code-only and uses plain shell scripts. Nothing is downloaded from arbitrary URLs or installed from untrusted registries. Risk from install mechanism itself is low.
Credentials: okRequested env vars are exactly those needed for the described GitHub backup/restore workflow. The scripts use GITHUB_TOKEN carefully (credential helper or gh CLI) and avoid exposing the token on the command line. No unrelated credentials or broad access requests are present.
Persistence & Privilege: concernThe skill does not request always:true and does not modify other skills. However, because it restores identity and agent-behavior files (AGENTS.md, SOUL.md, MEMORY-related guidance) into the workspace, restoring this repo could change how an agent operates (including instructions to act without asking). That persistence of behavioral directives is a notable risk vector and should be treated cautiously.