Skillv0.2.0

ClawScan security

Self Improving Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 3:31 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to “learn from ALL skill experiences” and to auto-update other skills, but its runtime instructions and included hooks are inconsistent with the platform and grant broad read/write abilities without declaring the credentials or explicit safeguards—this mismatch warrants caution before installing.
Guidance: This skill is not obviously malicious, but it is inconsistent and potentially powerful: it claims to learn from every skill and to update other skills, yet the platform doesn't provide the global hooks it expects and it doesn't declare the credentials necessary to push changes. Before installing, ask the author how it will be triggered on your platform, what repository credentials (if any) it needs, and what explicit safeguards exist (e.g., ask-before-PR, sandboxed test runs, review-only mode). If you proceed, run it in an isolated workspace, do not grant global repo write tokens without manual review, and require that any PRs be human-reviewed before merging.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose is to observe every skill run and update skills automatically. However, OpenClaw does not support the Claude-style global hooks the skill expects (the included OPENCLAW_HOOKS.md even notes this). The skill includes local hook scripts and memory files, which is coherent for a local experiment, but the claim of automatic, platform-wide learning/updating is not supported by the declared requirements or platform capabilities. A mechanism to modify other skills (create PRs / auto updates) would normally require repository/git credentials and explicit platform hooks, which are not declared.
Instruction Scope: concernSKILL.md and README instruct the agent to extract experiences from 'Any Skill Completes', update skills, and create PRs. The allowed-tools list (Read, Write, Edit, Bash, Grep, Glob, WebSearch) gives the agent broad access to read and modify files and query the web. The three hook scripts present only log inputs/outputs to stderr (no external exfiltration), but the instructions expect capture and modification of other skills' artifacts—operations that could read sensitive workspace files or alter multiple skill codebases if invoked with write privileges. The skill's automatic behaviors are vague (e.g., what gets updated automatically vs. ask_first), granting the agent broad discretion.
Install Mechanism: okNo external install/download is specified (instruction-only plus bundled files). That keeps installation risk low because nothing is fetched from remote URLs. The included hooks and memory files are local and simple; hook scripts only echo inputs/outputs to stderr and are not obfuscated or downloading code.
Credentials: noteThe skill declares no required environment variables or primary credential, but its stated behaviors (creating PRs, updating other skills) would normally require git/CI credentials and write access to repositories. Those credentials are not declared nor are the boundaries of file access limited. This mismatch is noteworthy: either it will prompt for credentials at runtime, or it expects the agent to already have repository write rights via the agent environment—both situations should be clarified.
Persistence & Privilege: notealways:false (no forced inclusion) and model invocation is allowed (normal). The skill intends to persist patterns in memory files (bundled under memory/) and to propose code changes (create-pr hook ask_first). While that behavior can be legitimate, granting Write/Edit permission plus web access could let the skill modify multiple skills or push changes if credentials are available. The skill does not request permanent platform privileges, but its design expects cross-skill visibility which increases blast radius if misused.