Skillv1.0.0

ClawScan security

Learning Loop - GEARS System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 9:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions largely match its stated purpose (scheduling autonomous learning sessions), but there are a few mismatches and high‑privilege actions (editing the global cron jobs file, implicit binary assumptions) that you should review before installing.
Guidance: What to check before installing: - Review and backup ~/.openclaw/cron/jobs.json and your OpenClaw workspace; the skill will append cron jobs there. Confirm you are comfortable with scheduled autonomous runs it will create. - Inspect the generated playbook.md and state.json before allowing the skill to create cron jobs — cron payloads point at those files and will make isolated agents execute them. - Note the scripts assume a POSIX shell and python3 (check_progress.sh uses python3). The skill metadata lists no required binaries; consider adding/ensuring python3 is available or test scripts manually first. - Ensure your platform's notification/delivery tools (Telegram, etc.) won’t cause unintended external notifications or reveal credentials — this skill can add 'delivery' entries if your state.json enables notifications. - Prefer running create_pipeline.sh manually (or in a sandbox) for a single topic first to observe what files and cron entries are created. If possible, inspect the cron job entries after creation and before the system processes them. - If you do not fully trust the skill source, avoid granting it ability to write the cron jobs file; instead let it produce playbook and state files and create scheduled runs manually. If you want, I can list the exact files/lines that modify ~/.openclaw/cron/jobs.json and highlight where to intercept or validate them before they run.

Review Dimensions

Purpose & Capability: noteThe skill's stated goal (set up cron-driven GEARS learning pipelines) aligns with the code and SKILL.md: it creates a workspace folder, playbook, state.json, and appends cron jobs. However metadata declares no required binaries/env but the shipped scripts assume a POSIX shell and python3; also the skill writes to a global scheduler file (~/.openclaw/cron/jobs.json), which is high-privilege but consistent with scheduling behavior.
Instruction Scope: concernThe instructions tell the agent and cron workers to read/write files under the OpenClaw workspace and to read/append ~/.openclaw/cron/jobs.json. They also instruct the use of external search tools (web, Tavily, SerpAPI) and to use the platform's delivery/messaging tool if notifications are enabled. Reading/writing the cron jobs file and creating autonomous isolated agent jobs is expected for this skill but expands scope to platform scheduling; the SKILL.md does not explicitly require or document the need for python3 or a shell environment even though scripts rely on them.
Install Mechanism: okNo install spec (instruction-only with bundled scripts). No remote downloads or package installs are present. This is low risk from an installer perspective, but the skill will write files into the user's OpenClaw workspace and into ~/.openclaw/cron — so the installation is not 'no-impact.'
Credentials: noteThe skill declares no required environment variables or credentials, which matches that it doesn't directly call external APIs requiring keys. It does honor OPENCLAW_WORKSPACE if present. It also references external search tools (Tavily, SerpAPI) but treats them as optional fallbacks; absence of API keys is handled by falling back to training knowledge. No secrets are requested directly—this is proportionate—but you should confirm that your platform's delivery tools (Telegram, etc.) don't expose tokens via the skill at runtime.
Persistence & Privilege: concernThe skill will append jobs to ~/.openclaw/cron/jobs.json, creating autonomous scheduled agent runs. While this is the skill's stated purpose, granting any skill the ability to schedule future isolated agent runs is a meaningful privilege. The skill is not marked always:true, so it won't be forced into every agent, but once installed and run it persists state and schedules further autonomous runs. You should be comfortable with that level of persistence and verify cron job contents before they are written.