Skillv1.0.1

ClawScan security

Max-Self-Improvement · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 1:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (persistent self-improvement and memory) is plausible, but its runtime instructions and shipped scripts contain inconsistencies and ambiguous storage/retention behavior (absolute /memories paths, always-kept preferences, logging of "environment details") that could lead to unexpected persistent data being written or sensitive context being captured.
Guidance: This skill appears to implement the described learning/memory features, but there are ambiguities and privacy concerns you should resolve before installing: 1) Ask the author where memory files will be stored exactly. If they are written to /memories or any absolute system path, insist they write only inside a sandboxed skill-specific directory (e.g., under the skill bundle or a configured data directory). 2) Confirm retention and deletion policies. "Never auto-delete" preferences can accumulate sensitive data — require an explicit delete/expire mechanism and ability for the user to purge stored memories. 3) Audit what the skill logs. The ERRORS.md templates invite logging "Environment details"; verify that environment variables, secrets, tokens, or file contents will not be captured or that logs are sanitized/encrypted. 4) Run the skill in an isolated environment first (non-production account or container) and monitor where files are created when activating error-detector/activator. 5) If you need stronger assurance, request a signed source/homepage or a maintainer contact and require the code to be adjusted so all writes are confined to a clearly documented skill-local path and retention controls are exposed to the user. Given the inconsistencies (absolute vs skill-local paths) and the potential for persistent capture of environment/context, treat this skill as potentially privacy-sensitive until the above are clarified.

Review Dimensions

Purpose & Capability: noteThe declared purpose (self-improvement, multi-layer memory, cross-session context) aligns with the provided templates and helper scripts which create and append to learning/error logs and provide memory file templates. However there is an inconsistency: the SKILL.md repeatedly references persistent paths under /memories/ (absolute-root style), while the executable scripts (activator.sh, error-detector.sh) create and write to a skill-local .learnings directory ($SKILL_DIR/.learnings). It's unclear whether memory files are intended to live inside the skill bundle, under a shared /memories directory, or elsewhere — that ambiguity matters for scope and data access.
Instruction Scope: concernSKILL.md instructs the agent to read/write persistent memory files (session_notes.md, user_preferences.md, patterns.md, metrics.md) and to log 'Environment details' for error entries. Those instructions give the agent explicit license to collect and persist contextual/environment details and never-auto-delete user preferences. The instructions also use absolute paths (/memories/...), which could cause writes outside the skill sandbox if followed literally. While shipped scripts are limited to the skill directory, the prose grants broader discretion to the agent to access and persist data beyond the skill's own files.
Install Mechanism: okThere is no install spec (instruction-only skill). The included helper scripts are simple shell/Python utilities for packaging and validation and do not download remote code. No networked install or archive extraction from arbitrary URLs is present in the package.
Credentials: noteThe skill declares no required environment variables or external credentials. However the error logging templates and SKILL.md suggest capturing 'Environment details' and 'Environment details if relevant' in ERRORS.md entries, which could lead to accidental inclusion of environment variables or other sensitive runtime context in persistent logs. No justification is provided for retention duration (user_preferences marked '永不自动删除'), increasing privacy risk.
Persistence & Privilege: concernThe skill is designed for persistent, cross-session memory and explicitly marks some user preferences as 'never automatically deleted.' While the skill is not forced-always and has no declared elevated privileges, persistent storage combined with the agent's normal autonomous invocation could produce long-lived data. The key risk is ambiguous storage location (skill-local vs system-wide /memories) and lack of retention/deletion controls; this increases the blast radius for accidental data exposure or accumulation of sensitive context.