ClawdGo
ReviewAudited by ClawScan on May 10, 2026.
Overview
ClawdGo appears to be a text-only cybersecurity training skill with no evidence of malicious code or exfiltration, but it does persist training memory and can schedule self-training messages.
Before installing, decide whether you want ClawdGo to write training profile data into runtime files and a soul.md anchor block. If you use B mode, remember it can schedule repeated training messages until stopped. The static secret warning appears to come from a mock lesson about not committing secrets, not from a real credential used by the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may change what the agent remembers about training progress and security axioms across sessions.
The skill intentionally stores and updates persistent training memory, including a soul.md anchor block and runtime profile files. The behavior is disclosed and bounded to training state, but persistent memory can influence future sessions.
Memory architecture is three-layer... Layer 1 `soul.md` anchor block... Layer 2 `runtime/clawdgo-profile.json`... `session_end` must auto-save axioms by default
Install only if you are comfortable with persistent training memory; review or back up soul.md and the runtime/clawdgo files, and remove those entries if you stop using the skill.
After you start B mode and choose an interval, the skill may continue posting training scenarios on a schedule until stopped.
B mode can set up a recurring self-training push task. It is user-initiated and includes a stop command, but it is still a background/persistent behavior users should notice.
B 模式优先走“设间隔 -> 自动推送”流程... 创建/沿用 `clawdgo-b-drill`... 后续按 tick 推送...(发「暂停B」可停止)
Use B mode only when you want scheduled messages, and confirm that `暂停B` or the documented stop commands cancel the scheduled task.
The skill's origin is less independently verifiable from the provided registry fields.
The packaged local metadata uses a development owner label while the registry listing also says the source is unknown and homepage is absent. There is no code or install script, so this is a provenance note rather than evidence of unsafe behavior.
"ownerId": "local-dev", "slug": "clawdgo", "version": "1.3.2"
Prefer installing from a verified publisher or compare the package against the claimed public project before trusting long-term memory changes.