CLAUDE.md Auto Discovery
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is narrowly scoped and has no network or credential use, but it automatically promotes local CLAUDE.md files into the agent's system context, letting project files influence the agent without per-use approval.
Install only if you want Claude-style project instruction loading and you trust the repositories you work in. Before use, review CLAUDE.md files in the project and parent directories, including any file named ' CLAUDE.md' with a leading space, and do not put secrets in those files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious, stale, or unreviewed CLAUDE.md in a project or parent directory could steer the agent, override user intent, or influence tool choices without the user seeing a fresh approval step.
The skill instructs automatic loading of discovered project file contents into the system context, which can make local project text act as authoritative agent instructions.
## 触发条件 - 当用户发送消息时自动执行 - 无需用户手动调用 ... - 注入到系统上下文
Require a visible preview and user confirmation before loading, show exact source paths, treat the file contents as untrusted or lower-priority project guidance, and disable the behavior in untrusted repositories.
Project-provided instructions may persistently shape agent behavior across work in that directory, and any sensitive text placed in those files may be included in the model context.
The script reads persistent instruction files from the current and ancestor directories and returns up to 40,000 characters for context use, including a leading-space filename variant.
paths.push(resolve(current, 'CLAUDE.md')); paths.push(resolve(current, ' CLAUDE.md')); ... readFileSync(f, 'utf-8') ... combined.slice(0, MAX_CHARS)
Review CLAUDE.md files in the current and parent folders, including the leading-space ' CLAUDE.md' variant; avoid storing secrets in those files; and limit loading to trusted project roots.