Skillv1.0.3

ClawScan security

Moses Modes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 31, 2026, 6:16 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a governance/mode-injection tool, but it asks the agent to read a user state file and to log internal reasoning chains — which have privacy and audit implications you should confirm before enabling.
Guidance: This skill appears to be what it says (a governance mode injector), but before installing: 1) Confirm the trusted source of the moses-governance bundle and the procedure for setting state (init_state.py). 2) Ask where "logs" and the "reasoning chain" are stored, how long they are retained, and who/what can read them — chain-of-thought may include sensitive data. 3) Test the mode behavior in a sandboxed agent to see exactly how it modifies prompts and whether it writes files beyond the declared stateDir. 4) Note the small metadata/version mismatch in SKILL.md vs registry; prefer skills with a clear homepage/source and documented release artifacts.

Review Dimensions

Purpose & Capability: okName/description match behavior: the skill injects governance constraints and reads the declared state file (~/.openclaw/governance/state.json). The SKILL.md declares the moses-governance dependency for /govern operations; no unrelated binaries, credentials, or config paths are requested.
Instruction Scope: noteInstructions are narrowly scoped to loading the active mode and applying the listed constraints. However several modes direct the agent to "log full reasoning chain" or "maintain growth log," which implies retention of chain‑of‑thought and internal reasoning. That has potential privacy/exfiltration implications and the SKILL.md is vague about where/what is logged and how long logs are retained.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or executed on install based on provided metadata.
Credentials: noteNo environment variables, credentials, or unrelated config paths are requested. The single filesystem access (stateDirs: ~/.openclaw/governance) is proportional to the declared purpose, but you should confirm what files are read/written (especially logs) and whether other skills can access the same state/logs.
Persistence & Privilege: noteThe skill is not set to always:true and is user-invocable — appropriate for governance. Still, its design to 'inject constraints into all agent prompts' gives it global effect over agent behavior; combined with retained logs or chain-of-thought recording this increases blast radius. No evidence it modifies other skills' configurations.