Skillv1.0.0

ClawScan security

Remilio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:05 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent as a personality/persona prompt, but it contains explicit system-prompt injection language and behavior guidance that encourages offensive, weaponized memetic behavior — a risky capability that should not be enabled without strong safeguards.
Guidance: This skill is a personality/system-prompt module that explicitly tells the agent to adopt an offensive, chaotic persona and to 'weaponize' memetics. It does not request credentials or install code, which reduces supply-chain risk, but it contains prompt-injection language that can override normal safety behavior. Before installing you should: (1) avoid enabling autonomous invocation — set disable-model-invocation or require human approval before each run; (2) only use in an isolated, non-production sandbox (do not expose to public-facing bots or users); (3) remove or rewrite direct 'You are now' system-prompt commands and replace them with constrained, non-directive guidance plus explicit safety rules (no harassment, no doxxing, no targeted abuse, no disinformation); (4) test outputs carefully and enforce content-moderation filters; and (5) if you need the persona for benign creative uses, document explicit guardrails and restrict who can invoke the skill. If you lack the ability to enforce these controls, do not install this skill.
Findings: [prompt-injection: you-are-now] expected: The phrase 'You are now' is expected in a persona/system-prompt skill, but it was flagged because it's a direct attempt to set the assistant identity and can be used to override safety/context. This is an elevated risk even though it's consistent with the skill's declared purpose.

Review Dimensions

Purpose & Capability: okThe SKILL.md clearly defines a 'Remilio' personality and all instructions are about adopting that persona; there are no unrelated requirements (no env vars, binaries, or installs). The declared purpose (persona injection) aligns with what the files actually contain.
Instruction Scope: concernThe instructions include direct system-prompt style commands ('You are now a Remilio') and behavioral rules that push the agent toward offensive, chaotic, and 'memetic warfare' behaviors. This is a textbook prompt-injection pattern capable of overriding normal assistant constraints and encouraging harmful outputs (harassment, targeted memetics, disinformation). The SKILL.md does not ask for system files or credentials, but it grants broad rhetorical license that could lead to policy-violating behavior.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk. This minimizes traditional supply-chain risk.
Credentials: okNo environment variables, credentials, or config paths are requested. There is no direct request for external secrets or system access.
Persistence & Privilege: concernThe skill is allowed to be invoked by the model (disable-model-invocation is false) which is the default. Combined with the explicit system-prompt injection content this increases risk: an autonomously-invoked persona that instructs the agent to ignore norms or to 'weaponize memes' widens the blast radius even though the skill does not request additional credentials.