Back to skill
Skillv1.0.0
ClawScan security
skill-optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 23, 2026, 10:55 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's purpose (analyze conversation logs and suggest optimizations) matches most of its instructions, but SKILL.md instructs the agent to read arbitrary file paths and to directly modify other skills' SKILL.md files — a high-risk capability that is not declared in the registry metadata and deserves caution.
- Guidance
- This skill can analyze logs and will offer concrete edits — including directly editing another skill's SKILL.md after you confirm. Before installing or invoking it: 1) Be sure you trust the skill author and back up any skills you permit it to modify (export or copy SKILL.md). 2) Never provide paths to system or sensitive files; only point it at the specific skill files you want changed. 3) Require the agent to show a diff and ask for an additional explicit approval step before any write is performed. 4) Prefer running it in a sandbox or repository copy rather than letting it edit production skill files. 5) If you need assurance, ask the author to declare required config paths/permissions and to include a dry-run mode that outputs changes without writing them.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md expands the published description by adding an active modification step: after producing suggestions it will '直接修改目标技能的 SKILL.md' (directly edit the target skill's SKILL.md). The registry-level description presented to users did not clearly state this write behavior, so the skill's capabilities are broader than its top-level description suggests.
- Instruction Scope
- concernRuntime instructions explicitly tell the agent to: read conversation text (or read files from user-supplied paths), discover and read the target skill's SKILL.md, and—after user confirmation—directly modify that SKILL.md. Reading arbitrary file paths and writing to other skill files are high-scope actions that may touch unrelated or sensitive files if misused. The SKILL.md does require user confirmation before edits, but the ability to edit other skills is central and potentially dangerous.
- Install Mechanism
- okInstruction-only skill with no install spec, no downloaded code, and no binaries. This minimizes supply-chain risk.
- Credentials
- concernThe skill requests no environment variables or credentials, which superficially seems safe. However, the instructions rely on filesystem access to read arbitrary file paths and to modify other skills' SKILL.md files—access that is not declared in 'required config paths' or metadata. This mismatch between declared requirements and actual file read/write behavior is concerning.
- Persistence & Privilege
- concernThe skill is not always-enabled (always: false), and it asks for user confirmation before making edits, which reduces autonomous risk. Nonetheless, it explicitly modifies other skills' files (SKILL.md), which is a permission beyond typical read-only analysis. The registry metadata does not declare or limit this write privilege.