ExperienceEngine
ReviewAudited by ClawScan on May 16, 2026.
Overview
ExperienceEngine appears coherent with its stated purpose, but it is a full coding-agent hook/CLI system that stores task-derived guidance, can run local helper processes, and may use configured LLM or embedding provider keys.
Install this only if you want a persistent experience layer for coding agents. Before using it in private or regulated repositories, decide whether automatic learning, prompt injection, background hook processing, and external LLM or embedding providers are acceptable, and keep provider credentials scoped to what you intend ExperienceEngine to use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future coding-agent runs may be influenced by previously learned hints, including any poor or stale guidance that was captured.
The skill explicitly stores task-derived experience and reuses it by injecting guidance into future prompts.
`before_prompt_build`: retrieve and inject matching experience ... `agent reasoning + tools`: capture failures, retries, corrections, and outcomes ... `task finalization`: distill new candidates into reusable experience
Use the inspection, feedback, cooling, quarantine, retirement, and disable controls described by the skill; review stored guidance when working in sensitive repositories.
If confirmed, the skill can change host integration state or managed ExperienceEngine state.
The Codex action registry exposes high-risk operational actions such as install, repair, upgrade, backup, export, import, and rollback, but marks them as operator-tier and confirmation-gated.
id: "execute_operational_plan" ... riskLevel: "high", requiresConfirmation: true
Confirm operational plans only when you understand the target adapter, state path, and rollback implications.
Host hooks may start local helper processes after agent activity to process learning data.
The static scan shows hook code spawning a Node child process to drain a background queue, which is expected for post-task learning but still means local code runs automatically under the user account.
const child = spawn(process.execPath, [process.argv[1] ?? "", "codex-hook", "--drain-queue"], {Install only in environments where running this local hook code is acceptable, and disable the integration if you do not want automatic post-task processing.
If provider keys are present in the runtime environment, ExperienceEngine may use them for its embedding or distillation workflow, potentially consuming quota and authorizing third-party processing.
The embedding provider can use ambient provider API keys from the environment to authorize calls to external embedding services.
const apiKey = firstNonEmpty(env.OPENAI_API_KEY, env.EXPERIENCE_ENGINE_EMBEDDING_API_KEY); ... Authorization: `Bearer ${apiKey}`Expose only the provider keys you intend ExperienceEngine to use, and prefer least-privilege or project-specific keys where available.
Task summaries, prompts, errors, or other experience text used for retrieval may leave the local machine when an external embedding provider is configured or auto-selected.
The code can send text to external embedding providers such as OpenAI; similar provider code is present for Jina and Gemini.
fetchWithTimeout("https://api.openai.com/v1/embeddings", { ... body: JSON.stringify({ model: OPENAI_MODEL, input: text })Use a local embedding provider or carefully review provider settings and privacy terms before enabling external embeddings for sensitive work.