Skillv1.0.0

ClawScan security

Agent Memory Persistent Workspace Memory System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 9:00 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent with its stated purpose (creating a file-based persistent memory structure) but includes instructions that deliberately modify an agent's startup behavior (system-prompt additions and persistent handoff files), which you should review and treat as a potential prompt‑injection/persistence vector before installing.
Guidance: This skill appears to do what it says: create a file-based persistent memory structure and give your agent instructions to load it at startup. Before installing or using it, consider the following: - Review and control where you run the init script: it writes files into the chosen workspace. Don't run it in a directory that already contains sensitive files or system config. - Be cautious about adding the provided 'Session Start Protocol' to your agent's system prompt. That action intentionally grants long-lived, persistent instructions to the agent — only add it if you understand and trust the workspace and the files that the agent will read. - Treat HANDOFF.md and daily logs as potentially powerful: if untrusted users or integrations can write to those files, the agent may read and follow malicious instructions on next start. Restrict file write permissions and only allow trusted writers. - Never store secrets (API keys, passwords, private tokens) in these markdown files; the skill has no encryption or secret management. - The script itself is local and uses the Python standard library — review the templates and init_memory.py (they are short and readable) before running. If you want additional safety, run the init step in an empty sandbox workspace and inspect files it creates. - If you plan to use channel isolation features, confirm your agent/framework actually enforces those isolation rules. This package only creates directories and recommends conventions — enforcement depends on your agent implementation. If you want tighter guarantees, consider: running in a restricted workspace, applying filesystem permissions, and integrating a vetted secret store or vector DB instead of plaintext long-term memory files.
Findings: [system-prompt-override] expected: The SKILL.md explicitly instructs adding a 'Session Start Protocol' to the agent's system prompt / AGENTS.md so the agent will read and follow workspace files at startup. This is expected for a memory/persistence skill, but is also a prompt-injection/persistence vector and should be treated accordingly.

Review Dimensions

Purpose & Capability: okName/description match the actual behavior: the package creates a workspace of markdown files for session memory and provides an init script. No unrelated credentials, binaries, or network downloads are requested; the included Python init script and templates are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md instructs you to add a startup protocol to your agent's system prompt and to have the agent read/write specific workspace files (HANDOFF.md, USER.md, MEMORY.md, MASTER_MAP.md, daily logs, channel directories). This is expected for a memory system, but those instructions are effectively persistent agent directives (they can change agent behavior across sessions) and therefore act as a prompt‑injection surface if untrusted content is ever written into those files.
Install Mechanism: okNo install spec, no external downloads. The only code is init_memory.py (uses Python stdlib) and local templates. The script writes files into a user-specified workspace — low-risk from an install perspective.
Credentials: okThe skill requests no environment variables, credentials, or special config paths. That is proportional. Note: it creates and relies on local files which could hold sensitive data — the skill does not enforce access controls or encryption, so storing secrets in these files would be inappropriate.
Persistence & Privilege: notealways:false (normal). The main persistence risk is behavioral: SKILL.md tells you to add persistent startup instructions to your agent's system prompt and to use HANDOFF.md to persist next-session actions. Those are intended features, but they grant long-lived influence over agent behavior and become dangerous if files are writable by untrusted parties or if you paste these instructions into system prompts without scrutiny.