Skillv1.0.0

ClawScan security

Big Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 7:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior is coherent with its stated goal (saving and restoring structured snapshots) but its runtime instructions encourage broad, persistent capture of exact code, env var values, and file paths and recommend changing global compaction/system prompts and indexing session transcripts — all of which raise privacy and exposure concerns that are not reflected in its declared requirements.
Guidance: This skill will routinely write detailed, append-only snapshots containing exact code snippets, file paths, and explicit environment variable names/values into your agent's memory files. Before installing or enabling automatic captures: (1) Confirm what 'Read' and memory file permissions allow in your environment — can these memory files be read by others or exported? (2) Avoid storing secret values (DATABASE_URL, API keys, passwords) in snapshots; prefer redaction or storing only safe identifiers. (3) Do not enable the suggested global systemPrompt change or session indexing unless you trust automatic captures — those settings cause the agent to capture more detailed context automatically. (4) Establish a retention and access policy (who can read memory/*.md, backups, encryption at rest). (5) If you must store sensitive state, prefer ephemeral or encrypted storage outside general memory files and require explicit user confirmation before any automatic snapshot. If you want a lower-risk test, use manual/user-initiated snapshots only and review written snapshots regularly.

Review Dimensions

Purpose & Capability: okName and description match what the SKILL.md instructs: capture structured snapshots to memory files and recover them after compaction using built-in memory tools (memory_search, memory_get, Read, Edit). No unrelated binaries or external services are required. Recommending an optional openclaw.json change to trigger structured captures is consistent with the goal.
Instruction Scope: concernInstructions explicitly tell the agent to capture exact code snippets, exact env var names/values (e.g., DATABASE_URL), absolute file paths, and to append them into persistent daily memory files. It also recommends enabling session transcript indexing. These instructions go beyond lightweight metadata capture and can cause sensitive secrets and full code/config to be stored and retained. The skill gives the agent broad discretion to read files and sessions and to write append-only logs — a clear data-exfiltration/privacy risk if misused or if memory files are accessible.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or executed on install. This minimizes supply-chain risk. However, because it's purely instructions, static-scanner had nothing to analyze.
Credentials: concernThe skill declares no required env vars or credentials, yet its templates expressly recommend recording exact environment variable values and other sensitive identifiers. It also suggests optionally using cloud embeddings (mentions 'openai') in examples without declaring that API keys would be needed. Asking the agent to persist env var values and absolute paths is disproportionate to a simple snapshot service and increases exposure of secrets.
Persistence & Privilege: noteThe skill does not request 'always: true' and allows normal autonomous use. It does, however, recommend modifying global agent compaction/system prompts (openclaw.json) and optionally enabling session indexing — these changes increase the skill's effective persistence and the amount of data captured across sessions. The append-only retention policy also prolongs stored data lifetime.