Skillv1.0.0

ClawScan security

Daily Digest Hardened · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 29, 2026, 1:41 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose matches the code (read memory files and write a digest), but the SKILL.md claims guardrails (credential scanning/redaction and prompt-injection resistance) that the included script does not enforce, creating a risky mismatch.
Guidance: Do not install/run this skill unattended if you keep any credentials or sensitive data in your memory/ files. The SKILL.md promises secret scanning and injection-resistance, but the included script does not perform any redaction or credential-detection before writing the digest. Recommended actions before use: (1) inspect and sanitize your memory/ files manually (remove or replace secrets), (2) update or replace digest_daily.py to implement explicit secret-detection and redaction (or a whitelist approach) before writing digests, and (3) run the script in a sandbox or with limited file permissions until you verify it behaves as expected. If you rely on the skill's guardrails for safety, request a patch from the author that adds programmatic credential scanning (and unit tests demonstrating redaction) before trusting it with real data.

Purpose & Capability: okName, description, SKILL.md, README, and digest_daily.py all align: the tool reads memory/YYYY-MM-DD.md (today and yesterday) and writes journals/digest/digest-YYYY-MM-DD.md. No unrelated env vars, binaries, or external services are requested.
Instruction Scope: concernSKILL.md lists strong guardrails (scan memory for credential patterns, never include secret values in output, treat memory as untrusted data, do not modify memory, never transmit digests externally). The Python script, however, performs straightforward extraction and writes entire extracted text to the digest without scanning or redacting credential patterns. That mismatch means secrets present in memory could be copied into journals/digest files despite the written guardrails.
Install Mechanism: okNo install spec and only a small Python script are included; nothing is downloaded or executed from external URLs. This is low-risk from an installation/execution supply-chain perspective.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The absence of requested secrets is appropriate for its stated function.
Persistence & Privilege: okFlags are default (always: false, agent invocation allowed). The script writes only to journals/digest/ (creating it if missing) and does not modify other skill/system configuration. No elevated persistence or cross-skill config changes are requested.