ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skills

v1.0.1

Ask Tracy to analyze your recent trajectories and improve your agent behavior based on data-driven recommendations.

0· 32·0 current·0 all-time
by@richard-epsilla
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (self-analysis of agent trajectories) match the declared requirement (CLAWTRACE_OBSERVE_KEY) and the runtime endpoint (https://api.clawtrace.ai/v1/evolve/ask). No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md contains concrete instructions for calling the ClawTrace SSE endpoint, parsing streamed 'text' events, and acting on recommendations (trimming history, writing a MEMORY.md entry). These actions are within the skill's purpose. The skill also claims 'Tracy has access to your real trajectory data' and 'respects tenant isolation'—these are statements about the remote service and cannot be verified locally, so you should confirm privacy/isolation guarantees from the provider before sending sensitive traces.
Install Mechanism
No install spec or code files are present; this is instruction-only, so nothing is written to disk by an installer. Lowest-risk installation profile.
Credentials
Only a single environment variable (CLAWTRACE_OBSERVE_KEY) is required, which matches the described authentication method. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
The skill is not forced-always and does not request elevated platform privileges. It instructs the agent to write to its own MEMORY.md (local record-keeping) which is normal and scoped to the agent.
Scan Findings in Context
[no-findings] expected: Regex scanner saw no code to analyze; this is an instruction-only skill, so empty scan results are expected. Review SKILL.md content instead (done above).
Assessment
This skill appears coherent, but before installing consider: (1) CLAWTRACE_OBSERVE_KEY is sensitive—ensure the key has minimal scope and rotate/revoke it if needed; (2) confirm ClawTrace's privacy and tenant-isolation policies because using the skill will cause trajectory data (trace_ids/session context) to be analyzed off-host; (3) the skill suggests truncating conversation history and writing to MEMORY.md—make sure those local changes match your own data-retention policies; (4) limit calls (the skill already recommends not calling Tracy more than twice per session) to control cost and data exposure; and (5) if you need stronger assurance, ask the provider for docs on what data is transmitted and how it's stored/retained.

Like a lobster shell, security has layers — review code before you run it.

latestvk970e0s731tzgb9vmm4t5rpx7d84sv50

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔬 Clawdis
OSLinux · macOS · Windows
EnvCLAWTRACE_OBSERVE_KEY

Comments