Back to skill
Skillv1.0.0
ClawScan security
GoalGetter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 3:42 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a local markdown-based task/goal manager and do not ask for unrelated credentials or network access.
- Guidance
- This skill is coherent and appears to only manage files under ~/.openclaw/goalgetter/. Before installing: (1) Confirm you are comfortable granting your agent read/write access to that directory; (2) Be cautious about enabling an 'exec' tool for the agent — it allows arbitrary shell commands beyond simple file edits; (3) If you plan to use the manual git clone, verify the GitHub repository URL/author (README points to github.com/Steffano198) before cloning; (4) Because some operations are described only as pseudocode, test the skill with noncritical data or a backup copy of your tasks directory to ensure it behaves as you expect.
Review Dimensions
- Purpose & Capability
- okName/description (local markdown task and goal tracking) match the actions in SKILL.md: creating, reading, appending, and moving files under ~/.openclaw/goalgetter/. No unrelated credentials, cloud APIs, or config paths are requested.
- Instruction Scope
- noteAll runtime instructions operate on ~/.openclaw/goalgetter/ (tasks.md, goals.md, done/). Some operations are expressed as pseudocode (e.g., 'Read tasks.md, find task, move to done/TIMESTAMP.md') which gives the agent freedom to implement parsing/movement logic; that is expected but slightly open-ended. SKILL.md and README instruct the agent to use the read/write (and README also lists exec) tools — these are necessary to modify files but grant the agent capability to run shell commands, so confirm you trust the agent's tooling permissions.
- Install Mechanism
- okInstruction-only skill; no install spec or downloads. README shows optional manual git clone instructions (a sensible, expected developer-provided convenience), but the skill itself does not perform network fetches at runtime.
- Credentials
- okThe skill requests no environment variables or credentials. It does expect filesystem access under the user's home (~/.openclaw/goalgetter/). README mentions requiring 'read, write, exec tools' — read/write are proportionate; exec can run arbitrary shell commands, so enabling exec increases privilege but is not inherently required beyond executing the simple echo/cat commands described.
- Persistence & Privilege
- okalways:false and no system-wide configuration changes requested. The skill only writes to its own data directory and does not request persistent elevated privileges or modification of other skills' configs.