Skillv1.0.1

ClawScan security

digital-life-grandpa-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 4, 2026, 4:39 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (creating a personalized 'grandpa' companion) matches its instructions, but it requires permanent storage of sensitive personal memories and includes a helper script that could be used to push those files to GitHub — creating a meaningful privacy/exfiltration risk that the package does not clearly justify or mitigate.
Guidance: This skill appears to do what it says (create a personalized 'grandpa' companion), but it collects and persists sensitive personal memories and family identifiers and includes a helper script that can publish the generated files to GitHub if executed. Before installing or running it: - Confirm where generated data will be stored (local path vs remote knowledge-graph) and who controls that storage. Ask the author for encryption, access controls, and a deletion/retention policy. - Do not run upload-to-github.sh (or any git/gh push) unless you explicitly want those memories published and you understand which GitHub account will receive them. Remove or inspect that script before execution. - If you will store memories of other people, ensure you have their consent and consider legal/privacy implications. - Consider running the skill in an isolated environment (sandbox) or review generated files before permitting persistent storage. What would change this assessment: an explicit, auditable storage policy (local-only encrypted storage, clear retention/deletion controls), removal or disabling of the GitHub upload helper, and documentation that the knowledge-graph is private and controlled by the user (or explicit opt-in before any external upload).

Review Dimensions

Purpose & Capability: noteThe name/description (build a personalized 'grandpa' conversational skill) aligns with the SKILL.md content: asking a 5-step interview and generating a per-user skill. Nothing in the bundle requests unrelated cloud credentials or system-level privileges. However, the skill explicitly intends to write generated skill files and family memory to a local workspace and 'permanent' family memory graph, which is more persistent than a transient conversational helper and should be considered part of the capability.
Instruction Scope: concernThe runtime instructions direct the agent to collect highly personal information (nicknames, intimate memories, names of family members) and to create and permanently store a per-user skill under /root/.openclaw/workspace/skills/[小名]-skill/. The SKILL.md claims it 'reads' Memory, FamilyProfile, InterviewLog and 'writes' GrandpaSkill and FamilyMemory — implying access to existing personal data stores. There are no safeguards described (encryption, access controls, retention policy), and the instructions insist 'must store' and 'permanent save', which broadens scope beyond ephemeral conversation and raises privacy risk.
Install Mechanism: okThere is no install spec (instruction-only), so nothing is automatically downloaded or installed. The only included code file is a small bash helper (upload-to-github.sh) — no external downloads, packages, or extract operations are present in the manifest.
Credentials: concernThe skill requests no environment variables or credentials, which is appropriate. However, it nevertheless plans to persist sensitive personal data to local storage and a 'family memory knowledge graph' without specifying where that graph is hosted or how it is protected. The bundle contains a GitHub upload script that, if executed in an environment with gh/git authenticated, would push those files to a public GitHub repo — a capability not justified by the description and disproportionate to core purpose unless the user explicitly consents to public backups.
Persistence & Privilege: concernThe skill is not forced-always and does not request system-wide privileges, which is good. But it explicitly instructs persistent writes into the agent workspace and claims 'permanent' preservation to local/NAS/knowledge-graph. Combined with the included upload-to-github.sh (which can publish the workspace to GitHub if run), this represents a high-persistence/data-exposure risk that should be consented to and controlled by the user.