Skillv2.9.2

ClawScan security

IBT: Instinct + Behavior + Trust · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 2:16 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only agent policy that is internally consistent with its stated purpose (execution discipline and preference learning); it requests no credentials or installs, but a few wording ambiguities about how implicit preferences are persisted and guarantees about isolation deserve attention before trusting it fully.
Guidance: This skill is primarily a set of behavioral rules and templates for agent execution and preference handling — it asks for nothing beyond using the agent's workspace (USER.md) to store preferences. Before installing, check two things in your agent runtime: (1) how USER.md is stored and who/what can read it (confirm it isn't exposed to other agents or external services), and (2) whether the runtime enforces the 'do not persist secrets' and 'do not write implicit preferences without consent' rules. Also clarify how implicit preference 'learning' is applied (in-session only vs. persistent) so you know what will be remembered between sessions. If you need strict guarantees about secrets or inter-agent isolation, verify those at the platform level — the skill's text is a policy, not an enforcement mechanism.

Review Dimensions

Purpose & Capability: okThe skill's name and description (agent execution discipline, trust, and preference learning) match the actual content: policies, templates, and runtime instructions for Observe→Parse→Plan→Commit→Act→Verify→Update→Stop. It does not request unrelated binaries, credentials, or external services.
Instruction Scope: noteThe SKILL.md instructs the agent to read and write a USER.md file in the agent workspace for preference storage. That behavior aligns with the described purpose, but there are subtle inconsistencies in the text: the doc says the agent 'learns implicit preferences' and 'applies preferences automatically' while also stating 'Agent never writes implicit/learned preferences to persistent storage without human consent.' This is ambiguous (automatic application could be in-session only, or persistent only with consent). The skill also claims USER.md is 'Not accessible to other agents, external services'—this is a runtime/privacy assertion in prose (not enforceable by the skill itself) and should be verified against the agent runtime's actual storage/access controls.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is downloaded or written by the skill itself. This is low-risk from an install perspective.
Credentials: okNo required environment variables, binaries, or configuration paths are declared. The only persistent artifact referenced is USER.md in the agent workspace, which is proportionate to preference storage for this purpose.
Persistence & Privilege: noteThe skill does not request 'always: true' or elevated privileges. It can be invoked autonomously by the agent (platform default). It instructs the agent to store preferences in USER.md, so installing it enables behavior that writes to the agent workspace; confirm that the runtime enforces the stated 'never store secrets' rules and any expected access isolation before relying on it for sensitive workflows.