Skillv2.0.1

ClawScan security

Clawpheus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 11:39 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (generating private, symbolic 'dreams' from past memories) is plausible, but the runtime instructions expect reading/writing private memory files and calling internal 'Engram' tools that are not declared in the metadata — that mismatch and the implicit file-write behavior merit caution.
Guidance: This skill will read and write private journal/memory files and use internal memory/Engram functions, but the registry metadata doesn't declare those file paths or tools. Before installing, confirm that: (1) you are comfortable with a skill reading your journal entries and storing generated dreams in your agent memory, (2) your agent exposes the referenced Engram APIs and memory paths and you trust them, and (3) you understand that the skill will persist user preferences (including optionally writing an enabled:false flag). If you want to proceed, consider testing in a sandboxed agent or backing up your memory/journal files first. If you cannot verify or restrict its file access, treat this installation as higher-risk.

Review Dimensions

Purpose & Capability: noteThe name/description (generate dream sequences from previous memories) matches the instructions' stated behavior. However, the skill assumes access to agent memory and an 'Engram' recall/search/emotional API; the registry metadata declares no config paths or required tools. That omission is unexpected but could be explained if these are standard agent capabilities.
Instruction Scope: concernSKILL.md explicitly instructs the agent to read private journal/memory files (e.g., soul/journal/YYYY-MM-DD.md) and to write generated dreams and preferences to memory/dreams/*.md. It also references using internal functions (engram_recall_time, engram_search, engram_emotional_state). Those file reads/writes and internal-tool calls are broader than the metadata advertises and involve persistent access to potentially sensitive user data; the instructions also include self-modification of preference files (including disabling the skill) which increases the persistence surface.
Install Mechanism: okNo install spec and no code files are present (instruction-only). That minimizes supply-chain risk: nothing is downloaded or written by an installer.
Credentials: noteThe skill requests no environment variables or external credentials, which is consistent with 'no external calls.' However, it implicitly requires file system read/write access to memory/journal paths and access to Engram APIs. Those privileges are not declared under required config paths in the metadata, producing a proportionality mismatch between declared requirements (none) and actual runtime needs (private file and internal-api access).
Persistence & Privilege: notealways:false and normal autonomous invocation are fine. The skill intends to persist user preferences and generated dreams to agent memory (memory/dreams/preferences.md and YYYY-MM-DD.md). Persisting user preferences and content is reasonable for this purpose, but it does give the skill a lasting footprint in agent memory and the ability to toggle its own enabled flag if file access exists.