Skillv0.1.3

ClawScan security

brainmd · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 26, 2026, 8:50 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (self-modifying, file-based 'brain' that writes and executes scripts) matches its description, but there are minor inconsistencies (Node.js is required but not declared) and the self-modifying execution model expands the agent's attack surface — you should review and limit where the brain is allowed to write and run code before installing.
Guidance: This skill is doing what it says: a file-based, self-modifying behavioral memory that writes pathway files and logs mutations. The main risks are operational, not covert: it runs Node.js scripts and can create/execute new JS files in the brain/ (and a skills/ directory). Before installing, do the following: - Ensure Node.js is installed (the skill assumes 'node' but metadata didn't declare it). - Install and initialize the brain in a restricted directory (not your entire home or system paths). - Review and lock down permissions on the brain/ folder (prevent world-write, consider a container or isolated workspace). - Avoid granting automated, high-privilege agent processes permission to execute newly created scripts; prefer manual review of generated code or run review.js only, not arbitrary generated scripts. - If you wire this into heartbeat/task callbacks, log every invocation and audit mutations/created scripts regularly. If you want me to, I can produce a short checklist or a hardened init-brain.sh that creates a sandboxed environment and warns on newly created executable scripts.

Review Dimensions

Purpose & Capability: noteThe name/description, README, SKILL.md and code are aligned: the skill implements a file-based reinforcement system and a cortex engine that updates pathway weights. However the package metadata lists no required binaries while all runtime instructions and scripts require Node.js (the JS files are invoked with node). Also SKILL.md references 'clawhub install' even though there's no install spec — minor mismatches that should be corrected but do not imply malicious intent.
Instruction Scope: concernInstructions direct the agent to run CLI commands that read and write files under a brain/ workspace (pathways.json, mutations/). That is coherent with the stated goal. The important concern: the system is explicitly self-modifying and allows creation/evolution of scripts (skills/ and reflexes/ directories). If the agent is granted permission to run those generated scripts automatically, it can execute arbitrary JS code created during operation. The SKILL.md also encourages wiring review into automated heartbeats and task callbacks, which increases runtime automation of these modifications.
Install Mechanism: okThere is no network install spec or external downloads; files are included in the skill bundle and init-brain.sh copies them into the user's workspace. This is low install risk. The only minor incoherence is the SKILL.md's 'clawhub install brainmd' mention without an actual install spec in the package metadata; otherwise no high-risk installers or external URLs are used.
Credentials: noteThe skill requests no credentials or special env vars. It does read and write filesystem state within the brain/ directory. It honors an optional BRAIN_ROOT env var. This is proportionate to a file-based learning system. Be aware SKILL.md encourages reading other agent memory files and injecting pathways into prompts — that implies the agent will read additional workspace files if you wire it that way.
Persistence & Privilege: concernThe skill persists state (weights, mutations) and is explicitly self-modifying. It does not request 'always: true' and does not modify other skills' configs, which is good. The concern is that it creates and can execute scripts inside the brain/ (and a skills/ directory) — combined with automated heartbeats or task callbacks this gives the agent dynamic capability to create and run new code, increasing the blast radius if the agent is allowed to run autonomously. Consider limiting execution privileges and placement to a sandboxed workspace.