Skillv1.0.1

ClawScan security

NOVA Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 10:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a file-based long-term memory system, but they ask the agent to read and modify system files and schedule recurring tasks (cron) and reference running scripts that are not included — these behaviors widen the surface and deserve caution.
Guidance: This skill is an instruction-only blueprint for a file-based long-term memory. Before installing or running it: (1) Inspect and vet all file paths it will read/write (notably /root/.openclaw/* and ~/.openclaw/*) because those may contain sensitive data or credentials. (2) Note it asks you to add cron jobs and perform git commits — these create persistent, recurring behavior; only allow them if you trust the author and understand the exact commands. (3) The SKILL.md references running a node script (skills/self-iterator/iterate.js) and Feishu token extraction but does not include those scripts or declare credentials — confirm where those scripts come from and how secrets will be provided. (4) If you want to use it, test in a sandbox or non-production account, back up existing AGENTS.md and workspace files, and require explicit review/approval before applying cron edits or committing changes. Additional information that would raise confidence to high: a provided implementation (code) to review, explicit list of files/commands the skill will run, and a justification for reading any root-level paths or external credentials.

Review Dimensions

Purpose & Capability: noteThe declared purpose (three-layer memory for an AI agent) aligns with creating/reading/writing workspace files (memory/, identity/, MEMORY.md) and maintaining indexes. However the SKILL.md also references absolute system paths (e.g., /root/.openclaw/restart-context.json, /root/.openclaw/workspace) and suggests modifying AGENTS.md and placing files into ~/.openclaw/workspace/skills/ — using root/home-level paths and agent config files is plausible for an on-host memory implementation but broader than strictly necessary and should be justified.
Instruction Scope: concernInstructions tell the agent to read system/agent files (restart-context.json, USER.md), run a node script (node skills/self-iterator/iterate.js), perform git commits, and configure cron jobs for weekly maintenance. These are beyond read-only queries: they involve modification, scheduled persistent execution, and accessing files outside a narrowly scoped workspace. The referenced script/files are not provided in the skill bundle, giving the agent broad discretion to execute unspecified actions.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only, which minimizes install-time risk (nothing is downloaded or written by an installer as part of the skill package).
Credentials: noteNo environment variables or credentials are declared, yet the content references integration details (Feishu doc tokens extracted from URLs) and system identity info. The absence of declared required credentials is an inconsistency: the skill implies handling tokens but does not declare or constrain how secrets are provided or accessed.
Persistence & Privilege: concernThe SKILL.md instructs persistent changes (writing/updating memory files, updating MEMORY.md, committing via Git, adding cron tasks, editing AGENTS.md) which gives the skill an ongoing presence on the host. Although always:false and the skill is user-invocable, these instructions would create scheduled autonomous behavior and filesystem persistence if followed — a legitimate memory implementation can require this, but it increases risk and should be explicitly consented to and auditable.