Skillv1.0.0

ClawScan security

Epistemic Council · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 11:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (pipeline operations and audits) but has several inconsistencies and operational assumptions (hardcoded root workspace path, undeclared runtime dependencies, a downloader file, and some code/constructor mismatches) that deserve review before installation.
Guidance: What to check before installing/running this skill: - Runtime dependencies: The code expects a local LLM (Ollama) reachable at http://localhost:11434 and uses the 'requests' library. Make sure you have the model service and Python dependencies installed in a controlled environment before running. The SKILL.md does not declare these requirements. - Filesystem path: SKILL.md runs Python from /root/.openclaw/workspace-epistemic-council-bot/epistemic_council. Confirm you are comfortable granting read/write access to that path (it will create/modify epistemic.db, memory/, heartbeat-state.json, openclaw-runs/). If you run as a non-root user, update the path or run in a sandbox/container. - Inspect skill_downloader.py and any omitted files: downloader scripts can fetch code at runtime. If present and not clearly benign, review its contents to ensure it doesn't pull code from arbitrary external servers. - Network endpoints: The visible code posts to a localhost model endpoint by default. If you override model_url or code uses other endpoints in omitted files, review them to ensure no unexpected external exfiltration (the provided excerpts do not show external third-party endpoints). - Code correctness / runtime errors: There are small inconsistencies in the code excerpts (e.g., some agent classes expect parameters but are sometimes instantiated without them), which could cause runtime exceptions. Test the skill in a disposable environment first. - Least-privilege test: Run the skill in a sandbox or container with limited filesystem and network access to observe behavior before granting it access to your main environment. If you want, I can: (1) list the omitted files for review, (2) show the contents of skill_downloader.py, or (3) point out the exact lines where constructor/argument mismatches appear so you can patch them before running.

Review Dimensions

Purpose & Capability: noteName/description (manage Epistemic Council pipeline) aligns with the provided code: detection, adversarial challenges, audits, re-challenges, and substrate reads/writes. However: SKILL.md presents the skill as 'instruction-only / no install spec' while the package includes many Python modules (so it will actually execute bundled code). The skill expects a local LLM service (mentions Ollama and uses http://localhost:11434) but declares no required binaries or dependencies. This mismatch (no declared dependencies but clear runtime requirements) is a design inconsistency users should be aware of.
Instruction Scope: noteSKILL.md instructs the agent to run a Python entrypoint in a hardcoded workspace path (/root/.openclaw/workspace-epistemic-council-bot/epistemic_council) which gives the skill explicit permission to read/write files under that path (epistemic.db, memory/, openclaw-runs/, heartbeat-state.json, etc.). That file I/O is consistent with a pipeline manager, but the use of an absolute '/root/...' path is environment-specific and surprising. The runtime instructions do not request unrelated system-wide credentials or mark other system paths, but the code will access the workspace and substrate DB — expected for the stated purpose.
Install Mechanism: noteNo install spec is provided (low install risk), but the code relies on external runtime components that are not declared: 'requests' usage and a local LLM (Ollama) are required. There is also a small skill_downloader.py in the bundle (contents not shown in the manifest excerpt) — downloader utilities can introduce higher risk depending on behavior. Overall the install approach is minimal, but missing dependency declarations and the bundled downloader warrant review.
Credentials: okThe skill declares no environment variables, credentials, or external API tokens, and the visible code does not attempt to read unrelated environment secrets. Network calls are targeted at a default localhost model endpoint (http://localhost:11434). No cloud credentials or unrelated service tokens are requested, which is proportionate to its claimed purpose.
Persistence & Privilege: okalways:false and user-invocable:true (normal). The skill writes data to its own workspace (epistemic.db, memory/, logs) and updates heartbeat-state.json; that is expected behavior for a pipeline. There is no evidence it modifies other skills or global agent settings.