Skillv1.0.0

ClawScan security

人格修行系统 Daily Cultivation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 2:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only journaling/notification skill whose required file reads/writes and cron changes are coherent with its stated purpose (daily morning wisdom and evening reflection).
Guidance: This skill is coherent with its stated purpose, but before installing: (1) confirm the filesystem path you choose for the vault — the skill will read and write files there (virtue-status.md, quotes/, and daily saved reflections); back up any important content; (2) confirm you want the skill to modify OpenClaw cron entries to schedule messages; (3) channel delivery requires platform-level integrations/credentials (Feishu/Discord/Telegram) outside the skill — ensure those tokens/targets are managed securely by the platform and not placed into these skill files; (4) review templates and quote files for any content you don't want auto-sent; (5) if you have strict privacy/security needs, restrict the skill's access to the specific vault directory and verify cron changes before applying.

Review Dimensions

Purpose & Capability: okName/description match the instructions: generating morning/evening messages, reading a local quotes/virtue status, templating, sending to configured channels, and optionally saving to an Obsidian vault. The requested resources (local files, templates, cron entries, channel targets) are proportionate to that purpose.
Instruction Scope: noteSKILL.md instructs the agent to read/write files under a user-specified vault (virtue-status.md, quotes/*.md, daily save path) and to update OpenClaw cron configuration. Those actions are expected for a journaling/notification skill but they do require filesystem and platform config access — review and confirm paths and consent before enabling. The instructions do not ask for unrelated system files, environment variables, or hidden external endpoints.
Install Mechanism: okNo install spec or external downloads — instruction-only skill (lowest install risk). Nothing is written to disk by an installer; runtime will rely on the agent and user-provided files.
Credentials: okThe skill declares no environment variables or credentials. It does expect channel targets and the platform to have the necessary channel integrations (Feishu/Discord/Telegram) configured elsewhere; that is a reasonable separation of concerns. There are no demanded secrets in the skill files themselves.
Persistence & Privilege: notealways:false (normal). The runtime instructions ask the agent to add cron entries to OpenClaw's config and to save daily notes to a user-specified vault — both are reasonable for this feature but grant the skill the ability to modify agent cron configuration and write files into the user's chosen directory. Confirm you want those modifications and that the target paths are correct.