ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Reflection

v2.0.1

Automatically logs task completions, tool executions, and errors into dated reflection files for experience extraction and concurrent optimization.

0· 46·0 current·0 all-time
byECsss@olveww-dot
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (log tool/subagent outcomes and distill lessons) matches the included scripts and TypeScript code: they write dated markdown entries and generate lessons. However SKILL.md presents a one-line curl/tar install that pulls an archive from a third‑party GitHub repo (olveww-dot/openclaw-hermes-claude), while the registry bundle already contains the code files. The mismatch between 'instruction-only' claim and the presence of several code files is inconsistent but not necessarily malicious.
!
Instruction Scope
Runtime instructions and scripts write arbitrary text provided to them into files under workspace/memory/reflections. The shell script and TS programs use OPENCLAW_WORKSPACE (not declared) and a hardcoded default of '/Users/ec/.openclaw/workspace' in several files — this is user-specific and may create files in unexpected paths or fail. The logger will record whatever context/errors are passed (could include secrets) with no redaction. Hooks suggested in README/ SKILL.md run the log script automatically after tools/subagents, which means unreviewed outputs could be persisted.
!
Install Mechanism
There is no formal install spec, but SKILL.md recommends curling and extracting a GitHub archive (archive/main.tar.gz) — this downloads and extracts remote code. While GitHub is a normal host, the URL points to a third‑party personal repo (not an official release); extracting archives from the network is higher-risk than a packaged install. The included install.sh itself operates locally (cp/rsync) and does not fetch network resources.
Credentials
The skill does not request credentials or secret env vars. It does rely on OPENCLAW_WORKSPACE (used by scripts/TS) but does not declare it. The main privacy concern is proportional: the skill will log tool outputs/errors/contexts verbatim to disk, so any sensitive strings in those outputs would be persisted. No network exfiltration or third‑party API keys are required.
Persistence & Privilege
The skill is not always:true and does not modify other skills or global agent settings. It writes files into the user's OpenClaw workspace (memory/reflections) which is expected behavior for a logging/reflection tool. Autonomous invocation (default) is allowed but not an additional red flag by itself.
What to consider before installing
Before installing: 1) Verify the source: SKILL.md suggests downloading a GitHub archive from a third‑party account — prefer to inspect the code locally rather than piping curl | tar. 2) Inspect and run install.sh locally (don't run the remote curl one‑liner). 3) Note the scripts default to OPENCLAW_WORKSPACE and in some files default to '/Users/ec/.openclaw/workspace' — update these to your actual workspace path to avoid creating files in unexpected locations. 4) The logger will persist whatever text is passed (tool outputs, error messages) with no redaction — avoid logging secrets or modify scripts to sanitize sensitive fields. 5) If you want more safety, run the skill in a restricted/sandboxed environment first, and add the hook to your OpenClaw config only after confirming the behavior. If you are uncomfortable with fetching code from the referenced GitHub repo, prefer the bundle provided here and confirm checksums or source origin before trusting the remote install command.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7g17pqtyvdc3mzj0zf40rn857fys
46downloads
0stars
6versions
Updated 4h ago
v2.0.1
MIT-0
ECsss@olveww-dot
latest
Download

Auto Reflection

🛡️ OpenClaw 混合进化方案 — 将 Hermes-agent(100K ⭐)+ Claude Code 核心能力移植到 OpenClaw

Name: hermes-auto-reflection Category: infrastructure Version: 2.0.0

这个 Skill 做什么?

帮小呆呆自动反思:记录错误教训、提炼决策经验、优化工作方式。

🚀 一键安装

mkdir -p ~/.openclaw/skills && cd ~/.openclaw/skills && curl -fsSL https://github.com/olveww-dot/openclaw-hermes-claude/archive/main.tar.gz | tar xz && cp -r openclaw-hermes-claude-main/skills/auto-reflection . && rm -rf openclaw-hermes-claude-main && echo "✅ hermes-auto-reflection 安装成功"

概述

整合三个能力:

  • C3 Task Notification:子代理完成时主动通知主会话
  • C6 并发执行优化:并行派发多个 subagent 的经验记录
  • H3 内置自动反思:错误自动记录,决策经验提炼

触发方式

方式一:手动触发(最简单)

EC 说:「反思一下」
小呆呆 执行:bash ~/.openclaw/skills/auto-reflection/scripts/log-reflection.sh tool --success true --tool <工具名> --context <做什么> --decision <为什么这么做>

方式二:错误发生后自动记录

当小呆呆犯错或 EC 纠正时,自动记录反思:

bash ~/.openclaw/skills/auto-reflection/scripts/log-reflection.sh tool --success false --tool <工具名> --context <错误描述> --decision <应该怎么做>

方式三:子代理完成后记录

bash ~/.openclaw/skills/auto-reflection/scripts/log-reflection.sh subagent --task <任务名> --outcome <结果> --lessons <教训>

存储位置

  • 反思记录:memory/reflections/YYYY-MM-DD.md
  • 提炼经验:memory/reflections/lessons.md

查看今日反思

bash ~/.openclaw/skills/auto-reflection/scripts/log-reflection.sh cat

查看经验教训

cat ~/.openclaw/workspace/memory/reflections/lessons.md

文件结构

auto-reflection/
├── SKILL.md                   ← This file
├── README.md                  ← 使用指南
├── install.sh                 ← 一键安装脚本
└── scripts/
    └── log-reflection.sh      ← 反思记录脚本

🧩 配套技能

本 skill 是 OpenClaw 混合进化方案 的一部分:

🔗 GitHub 项目:olveww-dot/openclaw-hermes-claude

完整技能套件(6个):

  • 🛡️ crash-snapshots — 崩溃防护
  • 🧠 auto-distill — T1 自动记忆蒸馏
  • 🎯 hermes-coordinator — 指挥官模式
  • 💡 context-compress — 思维链连续性
  • 🔍 hermes-lsp-client — LSP 代码智能
  • 🔄 hermes-auto-reflection — 自动反思(本文)

Comments

Loading comments...