NormieClaw Full Stack
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions, you-are-now, unicode-control-chars); human review is required before treating this skill as clean.
This appears safe to review/install if you trust the source, but it is a very broad bundle. Install only the skills you need, read each subskill's setup prompt before letting the agent run commands, and be careful with skills that store financial, health, email, legal, or memory data locally. ClawScan detected prompt-injection indicators (ignore-previous-instructions, you-are-now, unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may run many local scripts from a package whose source is not clearly identified in the registry.
The package is a large bundle with many executable scripts but no formal install spec or provenance URL in the registry metadata.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill; Code file presence: 65 code file(s)
Install only the subskills you need, review each setup prompt and script first, and prefer a known source or checksum-backed distribution.
The agent can modify files in the workspace during setup.
The setup flow asks the user's agent to run shell commands that copy files, create directories, and set permissions. This is disclosed and purpose-aligned setup behavior, not hidden execution.
I need you to install the Budget Buddy Pro skill. Run these commands exactly:
Run setup commands only in a trusted workspace after reviewing them, and avoid pasting setup blocks you do not understand.
Bank statements, transactions, budgets, and savings goals may remain on disk after use.
The skill persists sensitive financial transaction data locally for future budgeting and reporting.
Save parsed transactions to `data/transactions/YYYY-MM.json`
Use this only on a trusted device, enable full-disk encryption where possible, and periodically review or delete stored data you no longer need.
Running the command will permanently delete that skill's stored analysis data.
The static scan snippet shows a destructive deletion command, but it is scoped to the skill's own data directory and presented as a user-directed cleanup action.
Run `rm -rf ~/.openclaw/skills/writing-coach-pro/data` to delete all stored analysis data
Run deletion commands only when you intend to remove that data; consider backing up anything important first.
Users could over-rely on the package's own security wording instead of reviewing what it does.
The artifact makes a security-verification claim, while the registry source is unknown and no external homepage is provided. This is not evidence of deception, but users should treat it as a self-attested claim unless independently verified.
🛡️ **Codex Security Verified**
Treat security claims as informational unless backed by an independent audit or trusted distribution source.