Skillv1.0.0

ClawScan security

Metacognitive Protocol Lite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 1:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose and files largely match a metacognitive/operational prompt, but it includes instructions to modify system prompts, a suggested install command for an unknown hub, and a scanner-detected system-prompt-override pattern — all of which merit caution before adding this to an agent's persistent/system prompt or running files unreviewed.
Guidance: This skill appears to implement what it claims (a metacognitive checklist and a harmless PPT generator), but it explicitly instructs integrators to add its rules to the system prompt and to 'clawhub install' the tool (no install provided). Before installing or persisting this skill: 1) Do NOT paste its full instructions into a global/system prompt without human review — persistent system prompts can override model safeguards. 2) Inspect any text you would add to a system prompt; trim or sandbox it and test in a limited environment first. 3) Review create_ppt.py locally before running; it requires python-pptx and writes files to disk. 4) Treat the 'don't ask clarifying questions — make assumptions' guidance cautiously; for many real tasks you should prefer explicit clarification. 5) If you plan to 'install' from an unknown source, verify author and hosting; the skill has no homepage or known registry URL. If you want help extracting a safe, minimal system-prompt snippet from SKILL.md or sanitizing the instructions for limited use, I can create one and mark which lines are high-risk to persist.
Findings: [system-prompt-override] expected: The SKILL.md explicitly recommends adding the protocol to the system prompt. For a metacognitive prompt/tool, this is expected, but the pattern is also exactly how prompt-injection or persistent override attacks are implemented. Manual review of the exact system-prompt text is recommended before applying it.

Review Dimensions

Purpose & Capability: okName/description (a metacognitive protocol) align with the provided SKILL.md, explanatory article, and a benign utility script (create_ppt.py). No unrelated env vars, binaries, or secret requests are present. The included Python slide-generator is consistent with marketing materials (presentation asset).
Instruction Scope: concernThe runtime instructions explicitly tell integrators to 'Add the protocol to your system prompt' and to wrap agent execution with the 5-stage pipeline. This is functionally consistent with the purpose but is a form of system-prompt modification/prompt injection. The SKILL.md also contains an 'Ambiguity Protocol' that instructs the agent to make best-guess interpretations instead of asking clarifying questions — this grants the agent broad discretion and may cause it to proceed when clarification is appropriate. The file content does not instruct reading unrelated system files or using credentials, but the documented advice to alter system prompts and the 'clawhub install' suggestion (no install spec provided) are notable scope changes that should be done intentionally and reviewed manually.
Install Mechanism: okNo install spec (instruction-only) — lowest filesystem/network risk. The package includes a create_ppt.py that depends on python-pptx but no installer is provided; this is not dangerous but means the user must install dependencies manually. There are no downloads, third-party installs, or obscure URLs embedded.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The included Python script writes/creates presentations locally if run, but it does not exfiltrate data or contact external endpoints. Overall, requested privileges are proportionate to the stated purpose.
Persistence & Privilege: noteRegistry flags show no 'always:true' or other high privilege. However, the SKILL.md's primary recommended integration path is to add the protocol to the system prompt (persisting its instructions at a system level). Persisting unreviewed system-prompt content is high-impact: it changes the agent's global behavior and could override safeguards. The skill itself does not force persistence, but its guidance encourages it — treat that as a manual decision with risk.