Skillv1.0.0

ClawScan security

Reflect Notes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the stated Reflect note-write functionality, but the registry metadata omits required credentials and binaries (incoherent declarations) which should be fixed or explained before trusting it.
Guidance: This skill's code and instructions match its stated purpose (writing to Reflect) and are not outright malicious, but the registry metadata is inconsistent: it fails to declare the required env vars (REFLECT_TOKEN, REFLECT_GRAPH_ID) and does not list required binaries (curl, jq). Before installing: (1) verify the skill owner/source and that you trust https://reflect.app; (2) be prepared to provide a Reflect access token and graph id and store them securely (use a scoped token if possible); (3) ensure jq and curl are available on the agent environment; (4) remember anything sent to the skill will be written (append-only) to your Reflect — avoid sending secrets you don't want stored there; (5) consider running the script manually first to confirm behavior and update the registry metadata or ask the publisher to correct the declared requirements.

Review Dimensions

Purpose & Capability: noteThe script and SKILL.md implement exactly what the name/description claim: appending to daily notes, creating notes, and saving links to reflect.app. However the skill registry metadata declares no required environment variables or binaries even though REFLECT_TOKEN and REFLECT_GRAPH_ID are clearly required at runtime — an inconsistency in the declared vs actual capabilities.
Instruction Scope: okRuntime instructions are narrowly scoped to calling reflect.app API endpoints (append daily notes, create notes/links, list links/books/graphs). They do not instruct reading unrelated system files, nor do they exfiltrate data to unexpected endpoints.
Install Mechanism: noteThere is no install spec (instruction-only + helper script), which is low risk. The shipped shell script relies on curl and jq but the skill metadata did not declare those as required binaries — the missing declared dependency is an inconsistency to address (jq in particular may not be present on target systems).
Credentials: noteThe required credentials (REFLECT_TOKEN and REFLECT_GRAPH_ID) are appropriate and proportional for writing to a Reflect graph. The problem is that the registry metadata lists none, so a user could install without realizing they must supply an access token; ensure these are set and stored securely. The SKILL.md's optional 1Password suggestion is benign but not enforced.
Persistence & Privilege: okThe skill does not request 'always: true' and does not modify other skills or system-wide configs. It can be invoked by the agent (normal), and will perform network writes to your Reflect account when given your token — a legitimate capability but remember autonomous agent invocation means the agent could write without manual approval if allowed.