Skillv1.0.0

ClawScan security

Auto Improver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 2:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's claims (autonomous learning, data capture, and automatic skill creation) are not implemented in the shipped code and the instructions are vague about what system data to read or how permissions are obtained, so it warrants caution before installing.
Guidance: This package is a stubbed self-improvement agent: the shipped code only runs an infinite 17‑minute sleep/loop and contains many TODOs, but the documentation promises broad behaviors (reading execution history, extracting patterns, auto‑publishing skills). Before installing or running: - Treat it as untrusted code: inspect and approve any code changes before running. - Run in a sandbox or isolated environment (container, VM) and avoid giving it access to sensitive logs, home directory, cloud credentials, or keys. - Note the SKILL.md lists Bash/Exec/Read/Write tools — those would let the agent run arbitrary shell commands and read files if implemented; only allow them if you trust the author. - If you want the feature set (data capture, auto‑publish), require explicit documentation of what data is read, where data is stored/transmitted, and what credentials are needed. Demand least-privilege design and auditability before granting those privileges. - Because the implementation is incomplete, consider waiting for a mature release or ask the author for a security design and provenance of published skills before use.

Review Dimensions

Purpose & Capability: noteName and description claim a local self‑improving agent that learns from past executions; the package contains a local Node.js program that runs a 17‑minute loop, which is consistent in surface purpose. However the SKILL.md promises extensive features (pattern extraction, data encryption, automatic skill publishing, private deployment) that are not implemented in src/index.js (most logic is TODO). The presence of child_process and fs imports suggests future capabilities but are unused.
Instruction Scope: concernSKILL.md describes capturing execution data, user feedback, and evolving skills but does not specify data sources, access boundaries, or required credentials. The header lists tools including Read, Write, Bash, Exec — that combination grants broad capability to read files and run shell commands if the agent follows the instructions. The shipped runtime code does not read logs or ask for permissions (it only sleeps), so current behavior is mild, but the instructions leave large, unspecified scope creep that could later access sensitive data.
Install Mechanism: okNo install spec (instruction-only) and code is bundled in the package (no external downloads). There is no runtime fetching of remote code or archives in the provided files. This lowers install-time risk.
Credentials: okThe skill requests no environment variables, no config paths, and no credentials. That is proportionate to the current minimal implementation. Note: SKILL.md claims features (private deployment, publishing skills) that would normally require credentials, but none are requested now.
Persistence & Privilege: notealways is false and the skill is user-invocable (normal). The skill's stated goal of autonomously evolving and creating skills implies privileged actions (publishing/enabling other skills) but there is no code performing that now. If author later adds automation to modify or publish other skills, that would be a higher privilege concern.