Skillv1.1.0

ClawScan security

hplan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 4:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it is an instruction-only planning helper that stores plans in a local .plan/ directory and uses the platform memory; no external installs or credentials are requested.
Guidance: This skill appears to do what it says: it will create and maintain a .plan/ directory in whatever workspace it runs in and write short summaries to the agent's long-term memory. Before installing or enabling it: (1) review the templates and .plan/ contents so you know what gets written to disk; (2) do not include secrets or private credentials in plan text — memory entries are persisted across sessions; (3) consider modifying the workflow to ask the user before deleting the .plan/ directory (the SKILL.md currently instructs a silent delete when all phases are complete); (4) test the skill in an isolated or throwaway workspace first to confirm behavior you’re comfortable with; and (5) if you need stricter control, require the agent to prompt for explicit user confirmation before saving to long-term memory or deleting files.

Review Dimensions

Purpose & Capability: okThe name/description (hierarchical persistent planning) aligns with the instructions: creating a .plan/ workspace, per-phase specs/checklists, and using OpenClaw memory for cross-session continuity. There are no unrelated env vars, binaries, or installs requested.
Instruction Scope: noteThe instructions require reading and writing files under the current workspace (.plan/*) and explicitly call platform memory functions (memory_search and saving short summaries). This matches the stated purpose, but two behaviors merit attention: (1) the skill instructs silently deleting the entire .plan/ directory if all phases are complete (this deletion happens without explicit user confirmation), and (2) it writes persistent summaries to long-term memory which may capture sensitive or private plan contents if not sanitized.
Install Mechanism: okNo install spec and no code files — instruction-only — so nothing is downloaded or executed on install. This is the lowest-risk install model.
Credentials: noteThe skill requests no environment variables or external credentials, which is appropriate. It does, however, direct writes to the workspace file system and to the agent's long-term memory; while these are platform features (not external credentials), they are persistent storage locations and can retain user data across sessions, so users should avoid storing secrets in plan content.
Persistence & Privilege: notealways:false and no system-wide modifications — normal. The skill's persistence is limited to the current workspace (.plan/) and writing short entries to OpenClaw memory. Because the agent can be invoked autonomously by default, the combination of autonomous invocation + automated memory writes could persist plan summaries without repeated explicit consent; consider whether that's acceptable.