ClawHub
Back to skill
v1.1.1

Counterclaw Core

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:53 AM.

Analysis

The core scanner appears defensive, but the optional Gmail sender can fail open and send email without protection if the scanner is unavailable.

GuidanceThe offline scanner itself is coherent and purpose-aligned, but review the optional email integration carefully. Do not rely on it for PII blocking unless it is changed to fail closed when scanning is unavailable, and be cautious with Gmail credentials, command-line email bodies, and the persistent memory log.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
email_protector.py
if not COUNTERCLAW_AVAILABLE:
        return {"safe": True, "pii_detected": None, "scanned": False}

When the scanner cannot be imported, outbound content is treated as safe and unscanned instead of blocking. In the bundled email-sending flow, this can allow a supposedly protected email to proceed without PII scanning.

User impactIf the protection layer is missing or broken, the email wrapper may still send messages, including sensitive content the user expected it to block.
RecommendationFail closed for email sending when scanning is unavailable, and require an explicit user confirmation or dry run before sending unscanned content.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
README.md
gog login your-email@gmail.com
...
export GOG_ACCOUNT=your-email@gmail.com
export GOG_KEYRING_PASSWORD=your-keyring-password

The optional email integration uses a Gmail account through the gog CLI and references a keyring password environment variable. This is disclosed and purpose-aligned, but it grants real email-sending authority.

User impactInstalling or using the email integration can allow outbound messages from the configured Gmail account.
RecommendationUse the least-privileged or dedicated account possible, avoid storing keyring passwords in shell history or shared profiles, and verify recipients before sending.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
src/counterclaw/middleware.py
MEMORY_PATH = MEMORY_DIR / "MEMORY.md"
...
f.write(f"**Sample:** {safe_text[:100]}...\n")

The middleware writes samples of blocked inputs or PII-detected outputs into OpenClaw's memory file. PII is masked and the sample is bounded, but untrusted prompt text can still become persistent agent memory.

User impactBlocked malicious text or sensitive-adjacent samples may remain in local agent memory and could be seen or reused later.
RecommendationReview and clear the memory log periodically, keep the file private, and consider storing security audit logs outside shared agent memory.