Skillv1.1.5

ClawScan security

Rune - Self-Improving AI Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 2:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, installer, and session hooks largely match a persistent local-memory CLI, but there are metadata inconsistencies and a prompt-injection detector hit in SKILL.md; review and sandboxing are recommended before installing.
Guidance: This package appears to be a real, local-first AI memory CLI that modifies your home directory, installs a global 'rune' binary, and wires session hooks and workflow scripts into ~/.openclaw. Those behaviors are coherent for a persistent memory tool, but you should not install it blindly. Recommended steps before installing: 1) Inspect package.json and install.sh locally (use ./install.sh --dry-run or --verify modes provided). 2) Review the code for any network calls or telemetry (search for fetch, http, axios, or hard-coded URLs). 3) Verify you're comfortable with it creating/modifying ~/.openclaw and HEARTBEAT.md and installing a global CLI (it will replace an existing 'rune' or 'brokkr-mem' if present). 4) Run the installer in a sandbox/container or VM first if possible. 5) Avoid exporting cloud API keys unless you need cloud extraction; default local operation is possible. 6) Because the static scan flagged a 'system-prompt-override' pattern in SKILL.md, review the README/SKILL.md for any instructions that try to override agent/system prompts or give the skill broad, ambiguous authority. If you lack time or trust for a manual audit, treat this as untrusted software and don't install it on critical systems.
Findings: [system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md content. The SKILL.md contains persuasive workflow instructions and metadata that could be used to influence agent behavior. Even though most instructions relate to installation and integration, this finding is unexpected for an installer README and should be reviewed manually — it may be a false positive, but it could also mask text intended to manipulate an evaluation or system prompt.

Review Dimensions

Purpose & Capability: noteThe skill's declared purpose (self-improving AI memory) aligns with the included code, installer, and session hooks: it installs a CLI, creates ~/.openclaw/memory.db, and wires heartbeat/session hooks. However the registry metadata originally claimed 'instruction-only / no install spec' while the package clearly contains install.sh, setup-workflow.sh and many source files — a mismatch the changelog even calls out. That metadata inconsistency is unexpected and worth noting.
Instruction Scope: noteSKILL.md and the included scripts instruct the agent/user to run an installer that creates files in the user's home (~/.openclaw), appends to HEARTBEAT.md, installs a global npm CLI, and add mandatory workflow scripts/crons. Those actions are coherent with a memory CLI but are invasive (write/modify user files, add scheduled jobs, replace an existing 'rune'/'brokkr-mem' binary). The package also encourages 'forcing functions' (mandatory usage), which is aggressive but within the product goal. The pre-scan flagged a 'system-prompt-override' pattern in SKILL.md; while SKILL.md itself appears to be installation and workflow guidance, that finding could indicate prompt-manipulative text — treat it as suspicious (see scan_findings_in_context).
Install Mechanism: noteInstallation is via included install.sh which runs 'npm install --production' and 'npm install -g .', creates the ~/.openclaw tree, initializes an SQLite DB, and writes workflow scripts into the user's home. This is a moderate-risk install mechanism (npm packages + executing an install script) but uses standard sources (npm) rather than arbitrary external downloads. The installer makes backups before modifying HEARTBEAT.md. Because the installer executes code as part of npm install and writes global binaries and cron suggestions, review package.json and install.sh before running, and prefer dry-run/verify modes provided.
Credentials: okThe skill declares no required environment variables or credentials. Cloud API keys (Anthropic/OpenAI) are only optional and explicitly documented for optional cloud features; local-first (Ollama) is the default. No unrelated credentials or surprising secrets are requested. This is proportional to the stated optional cloud-enhanced features.
Persistence & Privilege: noteThe skill does persist to disk (creates ~/.openclaw, memory DB) and installs a global CLI — expected for this purpose. always:false (not force-included). It registers session hooks in skill.json that call ./rune-session-handler.sh start/end; the handler sanitizes input, which mitigates common shell-injection risks. The package's design intentionally enforces workflow integration (forcing functions) which increases its behavioral footprint; consider this social/operational persistence when deciding to install.