v1.1.3

S2 Mothership [3.22 Native]

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

This skill is described as local spatial state management, but the artifacts show smart-home actuation, sensitive local memory storage, heartbeat/self-healing behavior, and reviewer-facing safety claims that are not fully consistent with the included files.

GuidanceDo not install this as a simple local coordinate/state tool without further review. If you proceed, keep real actuation disabled, use limited/revocable smart-home tokens, inspect all storage and backup locations, confirm how heartbeat/self-healing works, and require explicit approval before any device-control action.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Dear Reviewers... Unicode Purge: Removed all emojis, rich text formatting, and hidden control characters... Removed all legacy terms like "local backup" or "vault".

The skill directly addresses reviewers with safety/compliance assurances, while the scan reports a unicode-control-chars signal and the included manifest/code still contains vault/backup components such as s2_vault_guardian.py and s2_state_backup.

User impactUsers may over-trust the safety claims and miss important persistence, backup, and smart-home-control behavior.

RecommendationTreat the compliance claims as untrusted; review the actual code paths, storage locations, and actuator behavior before installing.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

s2_kernel/chronos/s2_garden_manager.py

每日清晨 06:00 园艺结算：生成今日养护工单与自动执行指令 ... self._trigger_valve(plant.linked_irrigation_valve, "ON", duration_minutes=15)

The code documents an automatic scheduled workflow that can trigger a physical irrigation valve, with no clear artifact-backed per-action approval or rollback boundary.

User impactA mistaken schedule, sensor value, or parsed command could cause real-world device actions such as opening a water valve.

RecommendationDisable real actuation by default, require user confirmation for each device command, and add hard allowlists, dry-run mode, limits, and audit logs.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

s2_kernel/security/s2_vault_guardian.py

verify_and_heal_vault ... if current_hash != authorized_hash ... return self._execute_quantum_healing(authorized_hash) ... shutil.copy2(self.mirror_db_path, self.primary_db_path)

The code can restore the primary local memory database from a mirror when it detects deletion or modification, which may override user attempts to clear or edit stored state.

User impactSensitive local state may persist or reappear after a user deletes or changes it, reducing user control over stored data.

RecommendationProvide a clear user-controlled reset/delete path that removes both primary and mirror stores, and do not run self-healing without explicit consent.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

bins: [python3, sqlite3]
pip: [pyyaml, requests, paho-mqtt]

The skill declares runtime binaries and unpinned pip dependencies, while the install section says there is no install spec. These dependencies are common and purpose-aligned, but the setup path is not fully specified.

User impactUsers may need to install packages manually and should verify package sources and versions.

RecommendationPin dependency versions, document installation steps, and align registry metadata with SKILL.md.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

env: [S2_PRIVACY_CONSENT, S2_ENABLE_REAL_ACTUATION, HA_URL, HA_TOKEN, TUYA_CLIENT_ID, TUYA_SECRET]

The skill requires Home Assistant and Tuya credentials plus a real-actuation flag, which grants access to smart-home accounts/devices and goes beyond the narrow public description of coordinate/state management.

User impactInstalling or configuring this skill could give it delegated authority over home automation devices or related cloud accounts.

RecommendationOnly provide least-privilege, revocable tokens; separate test and production smart-home accounts; and require explicit confirmation before any real device action.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

s2_kernel/chronos/s2-memory-hook-skill.py

log_files = glob.glob(os.path.join(TARGET_LOG_DIR, "*.*")) ... logs.append({"timestamp": timestamp, "type": "LOCAL_CONTEXT_SYNC", "raw_text": f"[SYNC] {chunked_text}"})

The skill reads local context log files and persists raw synchronized text into a local memory store; the artifacts do not clearly define retention, deletion, sanitization, or how future agents should trust this stored context.

User impactPrivate conversation or context data could be retained and later reused, and poisoned local logs could influence future behavior.

RecommendationRequire explicit opt-in, limit paths, redact secrets, set retention/deletion controls, and treat stored memory as untrusted unless verified.