Back to skill
Skillv0.2.0
ClawScan security
Lumi Diary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 4:10 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent with its description: it operates on a local vault, requests only local filesystem access, and its code matches the SKILL.md behavior; the only notable signal is a prompt-injection style artifact (unicode control chars) flagged in the persona text that you should inspect before installing.
- Guidance
- Things to check before installing: - Inspect SKILL.md (system_prompt/persona) for invisible characters or unexpected instructions (the scanner flagged unicode control characters). Remove or sanitize any suspicious control characters. - Confirm LUMI_VAULT_PATH defaults to a local, non-sensitive folder (do NOT point it at system directories or any cloud-mounted sensitive paths). - If you plan to run the MCP server (mcp_server.py), understand it opens an interface for local MCP-compatible clients; only enable it if you trust the clients on your machine/network. - When importing .lumi capsules, review their contents before import to avoid introducing unexpected files; the code claims sanitization, but manual review is prudent. - Playwright is optional and only used for PNG exports; install it only if you need screenshot export and run it in a low-privilege environment. Overall this package reads/writes only to its vault and does not request external credentials—appropriate for a local-first diary—but you should still review the persona text and vault path choices before enabling the skill.
- Findings
[unicode-control-chars] unexpected: A prompt-injection scanner flagged unicode control characters in SKILL.md. The changelog claims earlier removals of such characters, but the pre-scan still detected them. This is not required for the skill's functionality and should be inspected (they can be used to hide or alter persona instructions).
Review Dimensions
- Purpose & Capability
- okName/description (local-first memory guardian) match the code and declared permissions. The skill only requires local read/write and an optional LUMI_VAULT_PATH; its features (recording fragments, portraits, export/import capsules, rendering canvases, optional Playwright screenshot) are consistent with that purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to call local tools (manage_identity, check_time_echoes, record_fragment, etc.) and to read/write within the vault — this is expected. However, the persona text is long and the package exposes that persona via the MCP adapter (lumi_persona reads SKILL.md). A pre-scan flagged unicode-control-chars in SKILL.md (prompt-injection style pattern); you should review the SKILL.md/persona text for unexpected invisible characters or malicious instructions before enabling the skill.
- Install Mechanism
- okThere is no remote download/install step in the skill manifest. Code files and a requirements.txt are bundled in the package (playwright optional). No external or shortened URLs or extraction-from-untrusted-hosts are present in the manifest.
- Credentials
- okOnly one environment variable (LUMI_VAULT_PATH) is referenced to set the local vault root; no cloud keys or unrelated secrets are requested. That env var is reasonable for a local-first storage skill.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills' configs. It runs as a normal skill (can be invoked autonomously) and includes an optional MCP server adapter — running the MCP server is an explicit action, not automatic.