Skillv1.0.1

ClawScan security

Self_Improving_ClawAgent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 5, 2026, 7:27 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and prompts implement an autonomous self-modification loop that is coherent with its description but grants broad local read/write and local-code-execution capabilities that are disproportionate and risky without additional safeguards.
Guidance: This skill is internally coherent with its 'self-improving' purpose but carries real risk because it is allowed to modify its own instruction files and execute local code. Before installing, consider: 1) Run the skill in a tightly sandboxed environment (ephemeral VM/container) isolated from sensitive files and credentials. 2) Remove or narrow the manifest read permission (do not allow './*'); restrict writes to only the exact files you consent to (SKILL.md/MEMORY.md/SOUL.md) if you accept them. 3) Require manual approval for any self-patch or automatic SKILL.md overwrite (disable autonomous self-patching or set an explicit confirmation step). 4) Review and harden refine.py (the BASE_DIR check helps, but ensure BASE_DIR is correctly set and that no symlink/traversal bypass exists). 5) Keep the repository under version control and monitor backups (.bak) and commit diffs after each change. 6) Prefer disabling autonomous invocation (disable-model-invocation) while you audit runtime behavior. 7) If you must use it, limit network access and monitor outbound connections — the current code has no network exfiltration, but self-modification could add it later. If you are uncomfortable with a tool that can rewrite its own instructions, do not install or only run it in a disposable test environment.

Review Dimensions

Purpose & Capability: noteThe skill claims self-improvement, code generation, and YouTube research and includes code (refine.py, youtube_research.py) that implements those behaviors. That is broadly consistent. Small inconsistencies: manifest.json uses a different name ('Self-Evolving-Architect') and declares filesystem read permissions for the entire workspace (read: ['./*']), which is broader than the described needs.
Instruction Scope: concernMASTER_PROMPT and SKILL.md explicitly instruct the agent to read MEMORY.md/SOUL.md and to perform automatic 'Self-Rewrite' actions that overwrite SKILL.md via generated Python code. The runtime instructions authorize autonomous modification of skill files (and the repository workspace), which is scope-expanding and can change behavior over time. Although refine.py provides backup and a BASE_DIR check, the instructions still permit open-ended self-editing.
Install Mechanism: okNo install spec or remote downloads; this is an instruction-and-local-code skill. No external install URLs or package pulls were observed.
Credentials: concernThe skill declares no required environment variables, which is appropriate. However, manifest.json allows reading './*' (the whole workspace) and grants 'local_code_execution' capability; this is broader than necessary for the described tasks and could expose sensitive files (e.g., .env, credentials) even if SKILL.md says 'Never overwrite .env'. The code itself does not read arbitrary environment variables, but the declared permissions are excessive relative to declared needs.
Persistence & Privilege: concernThe skill is able to write SKILL.md, MEMORY.md, and SOUL.md and to execute local code (refine.py). While 'always' is false, the skill permits autonomous invocation (default platform behavior) and includes an explicit self-evolution loop that persists changes. That combination increases the blast radius: it can change its own instructions and behavior over time without additional human confirmation.