Reflect
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the skill can change agent instructions, create new skill files, and commit those changes to a repository.
The skill can edit files and create git commits after approval. This is aligned with its purpose, but it is high-impact local mutation authority.
On `Y` (approve): 1. Apply each change using Edit tool 2. Run `git add` on modified files 3. Commit with generated message
Review every proposed diff before approving; use selective approval for uncertain changes and keep changes under version control.
Conversation details and corrections may be stored locally and reused to shape future assistant behavior.
The learnings log is designed to persist exact conversation quotes, which can include sensitive user content or instructions that later influence agent behavior.
source_quote: type: string description: Exact quote from the conversation
Avoid approving learnings that include secrets, private data, or overly broad instructions; periodically review and prune the learnings log.
If configured, the hook may run automatically during compaction and create local reflection output/logs.
The skill provides optional hook-based behavior that can run during context compaction. It is disclosed and user-enabled, but it is persistent automation.
Auto-Reflection Automatically creates reflection output file when context compacts... Note: Auto-reflection only runs if you've enabled it with `/reflect on`.
Only install the hook if you want automatic reflection, and leave auto-reflection off unless you are comfortable with background local logging/output generation.
Using the hook may require external Python tooling and package resolution not reflected in the registry metadata.
The optional hook uses uv script execution and an unpinned PyYAML dependency, while registry requirements declare no required binaries. This is a dependency/provenance note, not evidence of malicious behavior.
#!/usr/bin/env -S uv run --script # dependencies = [ # "pyyaml", # ]
Verify the local script path and dependency source before enabling the hook; consider pinning dependencies if you rely on it.