Skillv1.0.0

ClawScan security

Agent Retro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 9:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior matches its stated purpose (reading session logs and writing retro notes), but it instructs the agent to read an undeclared agent-session path and to permanently modify core agent configuration files without explicit safeguards, which is elevated privilege and mismatched metadata.
Guidance: This skill appears to do what it says (read past sessions, generate a retro, and persist changes), but there are important caveats to decide before installing: - It reads session logs from ~/.openclaw/agents/... (not declared in the metadata). Confirm you are comfortable granting the agent access to that path. - It will physically modify core files (MEMORY.md, USER.md, SOUL.md, AGENTS.md) and create lock files. Review and version-control those files beforehand and ensure backups are available. - The instructions require writing changes before reporting and do not mandate a human review step. If you want to avoid automatic persistent changes, restrict the skill to manual invocation only or require a 'preview' mode where it shows diffs and asks for approval before writing. - Because modifications are persistent and affect agent behavior, consider running the skill in a sandbox or test agent first, and require diffs/approvals in production. - If you need stronger assurance, ask the skill author to: (1) declare the required config paths in metadata, (2) provide an explicit preview/dry-run mode, and (3) minimize filesystem scope (write only into a single dedicated workspace path).

Review Dimensions

Purpose & Capability: noteThe name/description (daily Agent retro) align with the runtime instructions: the skill reads session logs and writes summaries and updates MEMORY.md, USER.md, SOUL.md, AGENTS.md. These capabilities make sense for a retro workflow.
Instruction Scope: noteSKILL.md explicitly instructs reading all session .jsonl logs for a date, synthesizing 6 structured sections, and performing physical file writes (including backups) before reporting. This is within scope, but the instructions mandate unconditional physical edits (read/edit/write) and do not require a review/dry-run or user confirmation before overwriting core files—granting broad discretion to modify persistent agent state.
Install Mechanism: okInstruction-only skill with no install spec or bundled code, so nothing is written to disk by an installer. Lowest install risk.
Credentials: concernDeclared metadata lists no required config paths or credentials, yet the SKILL.md directs the agent to read ~/.openclaw/agents/${agentId}/sessions and to create/modify workspace files MEMORY.md, USER.md, SOUL.md, AGENTS.md and locks under memory/. The skill accesses and modifies filesystem locations that were not declared in the metadata — a mismatch that increases risk because consumers may not realize it needs these filesystem privileges.
Persistence & Privilege: concernThe skill requires persistent, potentially destructive changes to core agent configuration files (USER.md, SOUL.md, AGENTS.md, MEMORY.md) and creation of lock files. Those changes alter agent behavior long-term. While such changes are coherent for a 'retro' skill, they are high-privilege operations; combined with autonomous invocation default, this increases blast radius if misused.