v1.0.0

Adversarial Review

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

The skill mostly matches its adversarial document-review purpose, but one helper script evaluates a user-supplied destination path in a way that could run unintended shell commands.

GuidanceInstall only if you are comfortable with a multi-agent review workflow that stores copies of documents locally and sends document content to reviewer model sessions. Before use, the cp-output.sh helper should be fixed to remove eval from destination-path handling.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/cp-output.sh

DEST=$(eval echo "$DESTINATION")

The script evaluates a user-supplied destination path as shell syntax before copying the output file. A crafted destination string could cause unintended command execution.

User impactCopying a review output to a maliciously crafted path could run shell commands with the user's local permissions.

RecommendationRemove eval, keep paths quoted, and use a safer approach for home-directory expansion or require the agent to pass only validated destination paths.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

SELF-TRIGGERING: load this skill and run the complexity self-assessment whenever you are about to produce or have just produced any substantial document ... offer the review loop if it qualifies.

The skill can proactively insert a review recommendation into broader document-writing tasks. It says to offer or strongly recommend rather than silently run, so this is a disclosed scope note rather than a concern.

User impactThe agent may suggest the review workflow even when the user did not explicitly ask for it.

RecommendationOnly proceed with spawning reviewers after clear user approval, especially for long or sensitive documents.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/synthesize.sh

node "$TMPSCRIPT" "$SESSION_NAME" "$REVIEWS_DIR"

The script depends on Node.js, but the registry requirements declare no required binaries. This is a metadata completeness issue for a purpose-aligned helper script.

User impactThe synthesis step may fail or behave unexpectedly on systems without Node installed.

RecommendationDeclare Node.js as a required binary or rewrite the synthesis step to use only declared dependencies.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

sessions_spawn with model=anthropic/claude-opus-4-6, mode=run — all in parallel ... The task field contains the full reviewer prompt ... plus the document content to review.

The skill sends the full document content to multiple spawned reviewer sessions. This is central to the stated review purpose, but it matters for confidential documents and provider/model exposure.

User impactSensitive documents may be shared with multiple model sessions during the review loop.

RecommendationUse the review loop only for documents you are comfortable sending to the configured model provider, and confirm before reviewing confidential material.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/new-review.sh

REVIEWS_DIR=~/.openclaw/workspace/reviews ... cp "$INPUT_DOC" "$SESSION_DIR/input/$FILENAME"

The helper creates a persistent local review session and copies the input document into it. This is disclosed and purpose-aligned, but retained review artifacts may contain private content.

User impactReviewed documents and generated critiques can remain on disk after the review is finished.

RecommendationReview and delete old session folders when they contain sensitive documents, or add retention/cleanup guidance to the skill.