Skillv1.0.2

ClawScan security

Scent Trails · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 2:34 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a high-level, instruction-only protocol document whose claimed behavior (no external egress, no credentials, in-memory/decaying state) matches the resources it requests, but it is declarative and lacks concrete, enforceable runtime code or provenance.
Guidance: This is primarily a design and policy document, not executable code. Its claims (no egress, no logs, decaying in-memory gradients) are internally consistent with the lack of required credentials or install steps — but those guarantees are declarative only. Before relying on this skill in production, ask for: (1) provenance (who authored/publishes it and where is the homepage or repository), (2) an implementation or reference implementation that enforces the non-egress and decay properties (tests, audits), and (3) concrete schemas or APIs that show how 'shared namespace cells' are represented and how human-confirmation for external anchoring is implemented. If you plan to let agents invoke this autonomously, ensure the platform enforces network/egress controls and that any implementation is audited so the 'formal non-egress guarantee' is actually enforced rather than assumed.

Review Dimensions

Purpose & Capability: okThe name and description (a stigmergic, decaying shared-memory primitive) align with what the skill requests: no binaries, no environment variables, no install, and no code files. There are no declared capabilities that are disproportionate to the stated purpose.
Instruction Scope: noteThe SKILL.md is a comprehensive, policy-style specification that explicitly forbids logs, exports, autonomous network egress, and identity capture. It contains no concrete runtime commands, APIs, file paths, or environment accesses. That makes it low-risk in terms of immediate I/O, but the guarantees are declarative: there is no implementation included to enforce the non-egress or decay properties. The instructions give the executing agent significant discretion (e.g., 'ambiguity defaults to silence') which is intentional but means correct behavior depends on the agent faithfully following the prose.
Install Mechanism: okThere is no install spec and no code to be written to disk. This minimizes the attack surface and is proportionate for a policy/instruction-only skill.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That is consistent with the stated non-egress, in-memory, privacy-oriented purpose.
Persistence & Privilege: noteThe skill is not set to always:true and requests no persistent system privileges. Autonomous model invocation is allowed (the platform default). That is normal, but because the skill's core guarantees are behavioral (not enforced by code), autonomous invocation could produce undesired outcomes if an agent ignores the policy text — this is a platform/operational risk rather than an incoherence in the skill itself.