Skillv1.0.0

ClawScan security

People Investigation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 3:13 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's capabilities match a people‑investigation purpose, but its runtime instructions ask the agent to read local user data and agent memory and to use a browser automation profile — raising privacy, scope, and potential abuse concerns that aren't explicitly constrained.
Guidance: This skill appears to do what it says (OSINT / people search), but it explicitly tells the agent to read local Google Takeout directories, message archives, and to run a memory_search — actions that can expose private contacts, messages, and other sensitive personal data. Before installing, consider: 1) Do not allow autonomous invocation if you don't want the agent to search your local files or memory without explicit confirmation; disable or require permission prompts. 2) Review and run the included scripts in a sandbox/isolated environment to verify they behave as expected. 3) If you won't provide access to local archives or agent memory, the skill's usefulness will be limited; only enable it when you control the target data and have lawful consent. 4) Be aware of legal/ethical risks (doxxing, harassment, privacy laws) — only use for legitimate, permitted investigations. 5) If you approve installation, audit browser tool usage and any logs for unintended data exfiltration and consider restricting the skill's ability to access the agent's stored memory and local filesystem.

Review Dimensions

Purpose & Capability: noteName, description, included reference docs, and the three helper scripts (FEC, Sunbiz, people search) are coherent with a people‑lookup/OSINT tool; required resources are proportional to that stated purpose (no unrelated cloud keys or odd binaries).
Instruction Scope: concernSKILL.md explicitly instructs the agent to search local artifacts (Google Takeout paths, Google Pay, call history, WhatsApp/SMS archives) and run `memory_search` to gather identity anchors. It also directs use of a browser tool (profile="openclaw") for JS‑rendered portals. Those instructions expand the skill's runtime scope into private local data and agent memory which are sensitive and not gated by declared requirements.
Install Mechanism: okNo install spec (instruction-only) and included scripts use standard, visible shell tooling (curl, jq, grep). There are no downloads or external installers, so nothing is written to disk beyond the provided scripts.
Credentials: noteThe skill requests no environment variables or external credentials (good). It references services that may require credentials (PACER) but does not request them. The FEC script uses a harmless DEMO_KEY. Still, instructions to access local data and memory increase the effective privilege the skill will use at runtime despite no declared env requirements.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and contains no code that attempts to persist or escalate privileges. Autonomous invocation is allowed by default (platform normal), which combined with the above concerns increases the attack/abuse surface.