Skillv1.0.0

ClawScan security

Dobby Harness Self-improving Coding Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 4:57 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The package contents, documentation, and runtime instructions are coherent with a multi‑agent harness for coding workflows, but it persistently stores task state (WAL/working buffer) in plaintext and includes publish scripts that prompt for a GitHub PAT — review and sandbox before use.
Guidance: This skill appears to implement what it claims, but it persistently stores task state and logs in the skill workspace and includes scripts that push code to GitHub. Before installing or running it: - Review the WAL and WorkingBuffer code (memory/wal.js, memory/working-buffer.js) to confirm what data is logged and ensure no secrets (passwords, tokens, private keys) will be written. - Run the skill in an isolated/sandboxed environment (non‑root user, container, or VM) so logs and buffers are confined. - Set strict file permissions (chmod 600) on the skill's memory/wal and memory/buffer directories or enable disk encryption for those paths. - Disable or avoid features that auto‑commit, auto‑comment, or auto‑publish until you understand their behavior; keep autoCommit/autoComment=false by default. - Inspect push-to-github.sh before running. Do not paste your GitHub PAT into untrusted prompts/scripts; prefer authenticated git configured in a secure terminal session or use deploy keys scoped to a repository with minimal privileges. - If you need the self‑improvement features but are concerned about privacy, consider modifying the code to redact sensitive fields before writing logs or to enable encryption of WAL entries. If you want further analysis, provide the specific source files (memory/wal.js and memory/working-buffer.js) and I can point out exact lines to change to harden storage and logging.
Findings: [MED-001] expected: SECURITY-AUDIT.md reports WAL logs are stored in plaintext (memory/wal.js). Plaintext logging is expected for a local WAL implementation, but it is a medium‑priority risk because logs can contain sensitive data and should be encrypted or protected by file permissions. [MED-002] expected: SECURITY-AUDIT.md reports Working Buffer has no access control (memory/working-buffer.js). Persistent buffer storage is needed for recovery and self‑improvement, but lack of file permission controls is a medium‑priority finding that warrants mitigation (restrict permissions, encryption, or sandboxing).

Review Dimensions

Purpose & Capability: okThe name/description match the included code and docs: orchestrator, patterns, workflows, WAL, and working buffer are present and implement the claimed capabilities. There are no unrelated required env vars or binaries in the manifest.
Instruction Scope: noteSKILL.md and other docs instruct running node examples and tests and include a publish guide and push script that operate on local filesystem paths (e.g., /home/admin/.openclaw/workspace) and call git. Those runtime instructions will read/write files under the skill workspace and may ask the user to run git push (which requires a PAT). No instructions were found that surreptitiously exfiltrate data to unknown remote endpoints, but the publish script and guides require manual credential use.
Install Mechanism: okThere is no automated install spec (instruction-only install), and all code is bundled with the skill. No remote downloads, package installs, or extract-from-URL steps were detected in the provided manifest — this reduces supply‑chain install risk.
Credentials: okThe skill declares no required environment variables or credentials. The only place credentials are referenced is the push-to-github.sh / publish guide which instruct the user how to obtain and use a GitHub PAT for pushing/publishing — a normal publishing step but one that requires caution. There are no unexpected credential requests in SKILL.md.
Persistence & Privilege: noteThe skill persists runtime state via a WAL and a Working Buffer (memory/wal.js, memory/working-buffer.js) under its workspace. SECURITY-AUDIT.md flags these as storing plaintext logs and lacking access control. always:false and no cross-skill config edits are requested, but persistent local logs can contain sensitive task data and should be protected.