Skillv1.1.0

ClawScan security

War Room — Adversarial Decision Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 5:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its stated purpose, but its runtime instructions ask the agent to write persistent files, commit reports, and store decisions to long‑term memory without declaring or justifying that persistence — this raises privacy/persistence risks that users should understand before enabling it.
Guidance: This skill appears to implement the advertised multi-agent war‑room flow, but it instructs the agent to create files in /tmp and ~/roundtable, git-commit reports when applicable, and store key decisions to long‑term memory. Before installing or invoking it, consider: (1) Will the agent be evaluating sensitive proposals (financial, legal, proprietary)? If so, persistently saving them or storing them in memory may leak sensitive data. (2) Does your platform's long‑term memory store persist beyond your control or get shared across contexts? If yes, disable or modify the 'store to memory' step. (3) Do you want the agent to create files under your home directory or to git-commit files in repos that may push to remotes? If not, remove or edit those instructions. (4) Ask the skill author (or inspect the runtime environment) whether spawned subagents or the platform will have access to other system files or network endpoints. To reduce risk: run the skill on non-sensitive inputs, remove/disable automatic memory storage, and review/modify SKILL.md so persistence actions require explicit user confirmation each time. Additional information that would change this assessment to benign: explicit, enforceable limits (and opt-outs) on persistence and memory storage; a guarantee that git commits will never be pushed remotely; or explicit user confirmation prompts before any write/commit/store action.

Review Dimensions

Purpose & Capability: okName/description (adversarial multi-agent war-room) align with the instructions: spawning five roles, structured phases, and domain prompts. No unrelated binaries or credentials are requested.
Instruction Scope: concernThe SKILL.md instructs the agent to write temporary files (/tmp/rt_{topic}.md), create a persistent directory in the user's home (~/roundtable/), save full reports there, git-commit the report if in a managed repo, and 'store key decisions to long-term memory with audit ID.' These are beyond ephemeral reasoning: they create persistent artifacts and require file-system and memory-write actions. The guidance also uses exec/sessions_spawn/read patterns (writing files and having spawned subagents read them), which is reasonable technically but expands the skill's data access surface. The instructions do not require explicit user approval each time or limit what gets persisted.
Install Mechanism: okNo install spec and no code files — lowest-risk installation footprint. Nothing is downloaded or written at install time from external URLs.
Credentials: concernThe skill declares no environment variables or credentials, which is appropriate. However, it instructs actions (git commit, storing to long-term memory, writing into ~/roundtable/) that may interact with system repos, user-configured git remotes, or platform memory subsystems. Those interactions can surface sensitive information (reports often contain secrets). The skill does not document safeguards, opt-outs, or required permissions for those persistent operations.
Persistence & Privilege: concernAlthough always:false and autonomous invocation is normal, the skill explicitly asks to persist reports to disk and to long-term memory. This creates ongoing presence/persistence of user data beyond the session and increases the blast radius if sensitive proposals are evaluated. The skill also suggests git committing reports, which may add those artifacts to a repository (and possibly to remotes) unless further restricted.