Skillv1.0.0

ClawScan security

Context Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 4:07 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The instructions match a context-management purpose, but the skill directs reading/writing several specific agent files and channel history without declaring those config paths, and it could cause sensitive data (addresses, balances, TX hashes) to be written to disk—this mismatch and data-risk warrant caution.
Guidance: This skill appears to do what it says (automatic context checkpointing and recovery), but it expects to read and write specific agent files and message history even though the registry metadata doesn't declare those file paths. Before installing or enabling it, consider: - Confirm where SOUL.md, USER.md, MEMORY.md, STATUS.md, HEARTBEAT.md and memory/YYYY-MM-DD.md will be stored and who can read them; ensure filesystem permissions and retention policies are acceptable. - Ask the author to declare required config paths in metadata and to document any protection (encryption, ACLs) for sensitive entries (wallet addresses, TX hashes, balances). - Verify the platform commands referenced (session_status, message action=read) exist and have the expected behavior and permissions in your environment. - If you handle sensitive data, test in a safe environment first and limit what the skill is allowed to persist (avoid storing full JSON/HTML or private keys; keep only minimal restart data). - If you want stricter control, request the skill be updated to: explicitly list required paths, provide an opt-in heartbeat integration step, and include explicit data handling rules (scrubbing/encryption/TTL) for saved files.

Review Dimensions

Purpose & Capability: noteName/description and the runtime instructions are coherent: this is a context-management protocol that monitors context 'waterline', checkpoints state to files, and restores after compression. However, the metadata declares no required config paths or files, while the SKILL.md explicitly expects/uses files such as SOUL.md, USER.md, MEMORY.md, memory/YYYY-MM-DD.md, STATUS.md and HEARTBEAT.md. The absence of declared config paths is an inconsistency (the skill expects file read/write access but metadata doesn't state it).
Instruction Scope: concernSKILL.md instructs agents to run platform commands (session_status), read channel history (message action=read limit=20), and create/append multiple files containing critical state and possibly sensitive items (addresses, wallet balances, TX hashes). Those actions are within the stated purpose but expand scope to persistent storage of potentially sensitive data and to reading user/channel history. The instructions are prescriptive (must checkpoint at 50%), and require modifying HEARTBEAT.md to integrate, which affects agent runtime behavior. The skill does not describe safeguards (encryption, access controls, or retention policy) for stored sensitive data.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by an installer. Lower risk from install mechanism.
Credentials: noteNo environment variables or credentials are requested (good). However, the instructions call for writing and reading files that may contain secrets; because no config paths or permissions are declared, it's unclear what filesystem locations and permissions will be used and whether stored data will be protected. The number of 'implicit' file accesses is nontrivial relative to the simple metadata.
Persistence & Privilege: notealways:false (normal). The skill recommends modifying HEARTBEAT.md to run each heartbeat check — that implies persistent integration into agent heartbeat behavior, but this is an instruction rather than an enforced install. It does not request persistent elevated privileges or autonomous always-on inclusion, but integrating into heartbeat increases its runtime footprint and frequency of execution.