Skillv1.0.0

ClawScan security

learn-from-experience · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 12:18 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated goal (learn and persist preferences across sessions) matches its instructions, but it asks the agent to create and write persistent files and to modify multiple global config files across agent products (and even install a companion skill), which is broader and more intrusive than many users would expect — review before enabling.
Guidance: This skill will create a persistent memory directory in your home, write and maintain memory files, and automatically edit global agent config files (AGENTS.md/CLAUDE.md/CODEBUDDY.md/etc.) to inject 'Patterns' it learns. Before installing or enabling it: 1) Back up any agent global config files that live in your home/workspace (e.g., ~/.openclaw/AGENTS.md, ~/.claude/CLAUDE.md, workspace AGENTS.md/SOUL.md). 2) Decide whether you want one memory shared across all agent products — the skill will detect multiple agents and sync to all of them. 3) Disable or require manual sync if you want to avoid automatic writes; confirm the skill exposes a 'Passive' mode. 4) Decline or separately review the suggested 'Proactivity' companion before allowing the agent to run 'clawhub install proactivity'. 5) Test in a throwaway account or VM first to confirm behavior and ensure the sync logic doesn't modify unrelated content. 6) Because the instructions assume safe parsing of config files but automated edits can go wrong, only enable this skill if you accept the risk of config edits and have backups. If you want, I can suggest exact backup commands and a minimal checklist to audit the first sync step.
Findings: [no-findings] expected: The package is instruction-only (no code files), so the regex-based scanner had nothing to analyze. Absence of findings is not evidence of safety — the runtime instructions are the security surface.

Review Dimensions

Purpose & Capability: noteThe name/description (self-reflection, cross-session memory) align with the skill's actions: it creates a local memory directory and compiles confirmed preferences into agents' global config files. However the scope extends beyond a per-agent local memory: it will detect multiple agent products and write to all detected global config files (sync to all). That cross-product propagation and automatic edits of AGENTS.md / SOUL.md / HEARTBEAT.md are more intrusive than a simple local memory skill and may be surprising to users.
Instruction Scope: concernSKILL.md instructs the agent to create ~/learn-from-experience/, write multiple structured files there, read and parse global config files (e.g., ~/.openclaw/AGENTS.md, ~/.claude/CLAUDE.md), insert/replace the ### Patterns block, and auto-sync on triggers. It also directs appending lines to workspace AGENTS.md and SOUL.md and, optionally, running an external installer (clawhub install proactivity) if the user consents. While these actions are coherent with cross-session persistence, they involve reading/modifying arbitrary workspace and home config files and running external commands — all of which increase the attack surface and could alter other tools' behaviors.
Install Mechanism: okThere is no install spec and no code files — this is instruction-only. That lowers risk from third-party packages or remote downloads. The only 'installation' activity is creating directories and files under the user's home and editing existing config files per the instructions.
Credentials: concernNo environment variables or credentials are requested, which is appropriate. However the skill requires write/read access to multiple home/workspace config files (~/.claude, ~/.openclaw, ~/.codex, ~/.codebuddy, ~/.config/opencode and workspace AGENTS.md/SOUL.md/HEARTBEAT.md). That file-level access is necessary for cross-session sync but is a high-impact capability (it can persist and propagate preferences across products). The declared metadata lists these paths, but the 'sync to all detected products' behavior could cause unintended cross-product propagation of learned rules.
Persistence & Privilege: concernThe skill persists data on disk under ~/learn-from-experience/ and edits agent global config files to enable cross-session behavior. It does not set always:true, but it is allowed to be invoked autonomously. Combined with automatic sync triggers (including 'session end' and 'on confirmed preferences'), this gives the skill ongoing persistent influence. The SKILL.md includes safety guards (only modify ### Patterns), but any parsing or implementation error could overwrite or corrupt global config content.