Skillv98.0.1

ClawScan security

Agent Memory Architecture · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 17, 2026, 5:22 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions coherently describe a local 5-file memory architecture and ask for only local file reads/writes, but a detected prompt-injection pattern and the presence of sensitive personal data handling warrant manual review before installation.
Guidance: This skill appears to be a legitimate design doc for a local agent memory system, but take these precautions before using it: 1) Manually search SKILL.md (and referenced templates) for any lines that tell the agent to 'ignore previous instructions', disable safety checks, or send files to external endpoints — remove or fix anything suspicious. 2) Do not populate these memory files with secrets (passwords, API keys); store only non-sensitive profile/context and keep credentials in a secrets manager. 3) Run the skill in an isolated test workspace first and verify it obeys the 'never share' rules and doesn't attempt network exfiltration. 4) Ensure filesystem permissions restrict access to MEMORY.md, SOUL.md, and USER.md. 5) If you lack time to audit, treat the skill as untrusted: don't use real PII or production data with it. If you can share the exact SKILL.md lines flagged for injection, I can help interpret whether they are benign (defensive examples) or malicious.
Findings: [ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in SKILL.md. The document does discuss 'prompt injection defense', so the string may legitimately appear as part of defensive guidance. Nevertheless, any instruction that tells the agent to ignore prior instructions or safety checks would be dangerous; manually inspect where the pattern appears and whether its context is defensive or an attempted override.

Review Dimensions

Purpose & Capability: okName and description match the content: SKILL.md and reference docs lay out a 5-file durable memory architecture. The skill asks for no binaries, env vars, or installs — which is proportionate for an instruction-only design document implementing local file-based memory.
Instruction Scope: noteThe runtime instructions explicitly direct the agent to read and maintain specific local files (SOUL.md, IDENTITY.md, USER.md, AGENTS.md, MEMORY.md and daily notes). This is expected for a memory architecture, but these files are declared to contain sensitive information (agent persona, user PII, decisions). The SKILL.md also includes explicit 'never share externally' rules. However, the pre-scan flagged a prompt-injection pattern ('ignore-previous-instructions') inside the SKILL.md — it may be part of a section on 'prompt injection defense', but it must be inspected to confirm it's not an instruction that would make the agent ignore safety constraints or evaluation controls.
Install Mechanism: okNo install spec and no code files; the skill is instruction-only. That minimizes code-execution/exfiltration risk from external downloads. Risk is concentrated in the agent following the prose instructions at runtime.
Credentials: noteThe skill requests no environment variables or external credentials, which is appropriate. It does, however, instruct storing sensitive personal data (emails, timezone, working hours) and long-term decisions in local files. That is coherent for a memory system but creates a high-value local data store — verify access controls and avoid storing secrets or credentials in these files.
Persistence & Privilege: okalways:false and no special config paths are requested. The skill does enable autonomous invocation by default (platform default). Combined with local file read/write instructions, an autonomously-invokable agent could act on local memory; this is expected but worth noting in threat modeling.