Back to skill
Skillv1.2.2
ClawScan security
Workflow Note(流程笔记) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 6, 2026, 2:30 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is a pure writing/template guide (which is coherent) but its runtime instructions tell the agent to read arbitrary local config files and the SKILL.md contains detected unicode-control characters (a prompt-injection signal), so there's a risk of unintended data exposure or instruction manipulation.
- Guidance
- This skill is a documentation/template for writing workflow notes and is mostly coherent, but exercise caution before letting an agent follow it autonomously. Pay attention to two things: (1) SKILL.md instructs the agent to read other local files and to include 'complete content' — that can pull secrets or internal addresses into a public note; require a manual preview step or automatic redaction before publishing. (2) The SKILL.md contains unicode control characters (prompt-injection signal) — open the file in a hex-capable editor or view raw to check for hidden characters and remove them if accidental or malicious. If you want to use this skill safely: run it with model invocation disabled or require explicit user confirmation before any file reads or before inserting file contents into output; restrict its working directory or run it in a sandbox; and ensure it filters/removes API keys, passwords, tokens, and internal hostnames from any included files. My confidence is medium — if you can confirm the unicode-control chars are benign and that the skill enforces redaction of sensitive fields (or you add a manual-review requirement), the risk would drop.
- Findings
[unicode-control-chars] unexpected: Prompt-injection detector found unicode control characters in SKILL.md. A writing template typically would not include such characters; they can be used to hide/alter instructions or manipulate parsing. Recommend human review of the raw file to confirm intent.
Review Dimensions
- Purpose & Capability
- okName/description match the actual content: this is a note-writing template for workflows/. It declares no binaries, env vars, or installs and the files are templates/examples — these are proportionate to a documentation/template skill.
- Instruction Scope
- concernThe SKILL.md explicitly instructs the agent to read other files from the user's filesystem (e.g., ~/.openclaw/skills/note-taking/SKILL.md, cron tasks, HEARTBEAT.md, AGENTS.md and 'actual configuration' files) and to include 'complete content' in notes. That behavior can legitimately be needed for producing accurate workflow notes, but it also means the agent may read and embed sensitive or unrelated data. Additionally, the SKILL.md contains unicode-control characters (pre-scan finding) which can be used for prompt-injection or to obscure instructions.
- Install Mechanism
- okNo install spec and no code files; this is instruction-only so nothing gets written or executed automatically during installation — low install risk.
- Credentials
- concernThe skill declares no environment variables or credentials, which is appropriate, but the runtime instructions require access to arbitrary config paths and other skills' SKILL.md without declaring them. That implicit file-access requirement is not reflected in requires/configs and can expose sensitive content (secrets, internal addresses) if followed without safeguards.
- Persistence & Privilege
- notealways is false and there is no install-time persistence. The skill does instruct reading other skills' files (e.g., the global note-taking SKILL.md), which is a cross-skill read but not an explicit modification or persistent privilege escalation.