Skillv0.1.0

ClawScan security

Workspace Hygiene Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 7:37 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction + Python script that audits and optionally performs low-risk fixes on an OpenClaw workspace; its requirements and behavior are consistent with that purpose and it does not request credentials or access external networks.
Guidance: This skill appears coherent: it reads and writes files only inside the provided workspace and does not contact external services or request credentials. Before installing or running: (1) review the hygiene.py source yourself or run it with --report-only to inspect findings without applying fixes; (2) back up the workspace (or run against a copied workspace) before using --fix, since the fix mode may merge timestamped memory files into date files and write a report at projects/system/hygiene-YYYY-MM-DD.md; (3) avoid running it against workspaces containing secrets you don't want scanned or modified; and (4) if you plan to install globally, be aware the script will be available to any agent that can run it—use normal least-privilege practices. Overall: coherent and appears safe for local use with standard precautions.

Purpose & Capability: okThe name/description match the included Python audit script and documentation: the skill scans workspace structure, memory files, and project READMEs and can produce/modify local hygiene reports. Required binary (python3) and no credentials are proportionate to the stated task.
Instruction Scope: okSKILL.md and audit.md explicitly describe filesystem checks and the script implements those checks. The instructions limit actions to the workspace directory (reading files, flagging issues, writing a report, and optionally merging timestamped memory files). There are no instructions to read unrelated system config, secret stores, or to send data externally.
Install Mechanism: okNo install spec (instruction-only + bundled script). That minimizes install-time risk; the only runtime action is executing the included hygiene.py with python3.
Credentials: okNo environment variables, credentials, or external endpoints are requested. The script operates on files within the specified workspace path only, which is appropriate for a workspace hygiene tool.
Persistence & Privilege: okalways is false and the skill is user-invocable; the SKILL.md suggests installing into skills/ but that is normal for a tool intended to run per-workspace. The tool writes reports and (with --fix) can merge memory files, but it does not modify other skills or global agent configs.