Skillv6.0.13

ClawScan security

nephesh-studio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 1:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files mostly match its stated purpose (orchestration of an AI team), but its runtime instructions ask the user/agent to modify and read files outside the skill directory (a global SOUL.md identity file and a global TOOLS.md) and to schedule a cron that runs in the main session — behaviors that are surprising and increase risk.
Guidance: Before installing or enabling this skill, consider the following: - The skill requires you to add a persistent identity block to your own SOUL.md (a file outside the skill). Back up SOUL.md and inspect it before editing; avoid adding anything you wouldn’t want to be remembered permanently. - The SKILL.md instructs child agents to read ~/.openclaw/workspace/TOOLS.md (a global config). Review TOOLS.md for any secrets or tokens — if it contains credentials, do not allow subagents to read it or sanitize it first. - The recommended cron configuration runs the daily-check in the 'main' session (sessionTarget: main). That means scheduled runs will share the main conversation/context and could surface project data into your main chat. If you need periodic checks, prefer scheduling with an isolated sessionTarget or narrower scope. - The skill enforces absolute paths and global reads; if you want to use it, confine its files to a dedicated workspace and adjust templates to remove reads of global files (SOUL.md/TOOLS.md) where possible. - If you are not comfortable granting scheduled jobs or global config reads, do not add the cron or modify SOUL.md. Instead run the skill manually and keep its workspace isolated. Overall: the content is coherent with an orchestration assistant, but the outside-file modifications and global-config reads are surprising and elevate risk — proceed only after reviewing and limiting what global files the skill can access.

Review Dimensions

Purpose & Capability: noteThe skill claims to provide an 11-role team orchestration system and all included role docs, workflows, and templates are consistent with that purpose. However, the SKILL.md requires adding a persistent identity entry into the user's SOUL.md (outside the skill directory) and requires reading a global ~/.openclaw/workspace/TOOLS.md; these are not obviously necessary for a team orchestration skill and are unusual design choices.
Instruction Scope: concernRuntime instructions mandate reading many files under the skill directory (expected) but also: (1) require the caller to add an identity block to a user-owned SOUL.md (a file outside the skill), and (2) require child agent templates to read ~/.openclaw/workspace/TOOLS.md (a global tool/config file). The daily-check cron example further instructs running checks in the 'main' session so results are posted to the main conversation. Both cross-scope reads (SOUL.md and TOOLS.md) and running periodic jobs in the main session broaden the data the skill will access and expose.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by the skill bundle itself. The only persistent action it suggests is that the user create/modify files and optionally add an openclaw cron entry (user-operated).
Credentials: concernThe skill does not request environment variables or credentials, which is appropriate. However, it instructs reading a global TOOLS.md (likely to contain tool configuration and possibly credentials/pointers) and modifying a user-owned SOUL.md. Asking the agent to read global configuration files is disproportionate to a skill that could operate only inside its own skill workspace.
Persistence & Privilege: noteThe skill itself is not always:true and cannot autonomously install binaries, but it recommends creating a cron job that runs in the 'main' session and posts results there. That creates a persistent scheduled job with access to the main session's context if the user sets it up. This increases the skill's operational persistence and blast radius even though the skill bundle doesn't request elevated flags itself.