Back to skill
Skillv1.0.8
ClawScan security
ClawMind · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 15, 2026, 6:41 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely matches its stated purpose (health/VFM/memory) but includes an autonomous 'auto-created skill' engine that writes new skill files into the workspace and updates user/profile files — behavior that can escalate capabilities and should be reviewed and constrained before use.
- Guidance
- This skill appears to implement the advertised memory/health/VFM features, but it also includes an auto-created-skill engine that writes new skill files into your workspace and appends to USER.md. Before installing or enabling autonomous invocation: 1) Review scripts/auto_created_skill.py and decide whether automatic skill creation is acceptable; consider disabling or modifying it to require explicit user approval before saving files. 2) Restrict or sandbox the skill's workspace access (run in an isolated environment or container) so created files cannot affect other agent skills or sensitive files. 3) Back up your workspace and inspect /home/node/.openclaw/workspace/skills/auto_created/ and USER.md for any sensitive content that could be recorded. 4) If you do not want the agent to act autonomously, set disable-model-invocation or otherwise require manual invocation/approval for any auto-create/save operations. 5) If you need higher assurance, run the skill in a test account/environment and audit any generated .skill/.meta.json files before allowing them to be loaded.
Review Dimensions
- Purpose & Capability
- noteThe name/description (self-evolving agent, memory, VFM scoring) align with the included code: health calculation, proposal scoring, memory DB, state management. Requiring the OpenClaw workspace and reading/writing state and a local SQLite DB is coherent with the stated purpose.
- Instruction Scope
- concernSKILL.md and the scripts instruct/implement persistent state and memory operations (state/current_state.json, memory.db) which is expected. However scripts/auto_created_skill.py will autonomously generate and save new skill files under /home/node/.openclaw/workspace/skills/auto_created/ and scripts/update_user_profile appends to /home/node/.openclaw/workspace/USER.md — both extend scope beyond passive memory/health tracking into creating/modifying other skills and user profile files. The SKILL.md does not explicitly warn that new skills will be created automatically or that USER.md will be modified.
- Install Mechanism
- okThis is an instruction-only skill with bundled Python scripts and no install spec, no external downloads, and no package installs. Nothing is pulled from remote URLs during install; code is present locally in the skill bundle.
- Credentials
- noteThe skill requests no environment variables or external credentials, which is proportionate. It does, however, read/write multiple files in the workspace (state JSON, USER.md, SQLite DB, and creates files under skills/auto_created), so it requires file-system write access to the workspace — a necessary permission for its features but potentially sensitive for shared workspaces.
- Persistence & Privilege
- concernThe skill persistently writes to the workspace (state files, memory DB) and — importantly — can create new skill artifacts in the agent's skills directory. That is effectively modifying the agent's available capabilities and could be used to escalate privileges or introduce new behavior without explicit user approval. Although always:true is not set, the default of allowing model invocation combined with the auto-creation capability increases risk.