AI偷懒检查
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is transparent about adding audit hooks, but it can persistently change how other skills behave and make them follow an extra local hook file, so users should review it before use.
Before installing, treat this as a tool that modifies other skills, not just checks them. Use it only for a named skill, inspect the generated SKILL.md before replacing the original, make sure ./skills/autohook/hook.md is the intended file, and keep backups so you can remove the hook later.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A target skill may keep running an extra self-audit step in later sessions or tasks, even when the user is no longer thinking about this hook.
The skill's main workflow appends new instructions to another skill, creating persistent behavior that remains after the current task unless removed.
若无则将文件内容追加到 SKILL.md 末尾
Only use this on specific skills you intentionally want to modify; review the generated diff before replacing any SKILL.md, and keep a backup so the hook can be removed cleanly.
Other skills may spend extra time following the audit hook and may report tasks as incomplete if the audit does not run.
The injected text changes a target skill's stopping condition by making a self-audit mandatory after every main task.
主任务所有输出完成后,必须立即执行以下操作,这是本 SKILL 的最后一个强制步骤... 未执行自审计即视为任务未完成。
Make hook insertion an explicit confirmation step, and avoid installing it into skills where the user only asked for a one-time review.
If a different or tampered ./skills/autohook/hook.md exists in the runtime context, a hooked skill could follow unexpected instructions.
The persistent hook tells future target skills to read a relative hook file as authoritative instructions, but that path is not clearly tied to the packaged file or protected from replacement.
1. 读取文件:./skills/autohook/hook.md 2. 严格按其中每一步执行自审计
Use a clearly scoped, immutable path for the hook content, or embed the exact audited hook text directly instead of delegating to a relative file.
Audit reports may leave local records of what the user asked the skill to do and how the agent responded.
The audit hook creates persistent debug files containing task summaries and details of the agent's behavior.
写入 debug_[SKILL名称].txt... 任务:<一句话描述刚完成的任务>... 规则:<SKILL原文>... 行为:<我实际做了什么,或没做什么>
Store debug files in a known location, disclose retention behavior, and avoid including sensitive task details unless the user approves.