Back to skill
Skillv1.0.0
ClawScan security
Self Improvement For All · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 14, 2026, 11:44 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, documentation, and runtime behavior are consistent with its stated purpose (a local, dependency-free tool that records and searches learnings); it writes data locally and requests no credentials or network access.
- Guidance
- This skill appears to do what it says: a small, local Python module that records and searches 'learnings' in JSON files. Before installing or using it, note that it will create a .adaptive_learning directory (learnings.json, errors.json) in the working directory and stores any text you pass to it in plaintext. Do not record passwords, API keys, or other secrets into this store unless you encrypt or otherwise protect those files. Also verify the repository/contact listed in manifest.yaml if you want to confirm provenance (the registry metadata showed 'Source: unknown' while the manifest references a GitHub project). If you plan to share exported JSON with teammates, review it first for sensitive contents.
Review Dimensions
- Purpose & Capability
- okThe name/description (adaptive learning from errors and corrections) aligns with the included Python implementation and SKILL.md. The manifest and SKILL.md both advertise zero dependencies, local-only storage, and no API keys; the code implements local JSON files under a .adaptive_learning directory. Minor note: registry metadata indicated 'Source: unknown' while manifest.yaml contains a GitHub homepage/repository — a documentation inconsistency but not functionally suspicious.
- Instruction Scope
- okSKILL.md instructs the agent/user to copy/import the Python file and use the provided record/search/export methods. The code's methods correspond directly to the documented API (record_learning, record_error, search_learnings, export_learnings, etc.). There are no instructions to read unrelated system files or environment variables, and runtime behavior is limited to managing learnings/errors in local JSON files.
- Install Mechanism
- okThere is no install spec (instruction-only skill) and the package includes a single Python module with no external downloads or install steps. This is low-risk: nothing is fetched from arbitrary URLs and no archives are extracted.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not access environment variables or external services. It only writes to the local storage path (default: .adaptive_learning). Note: because data is stored locally, the agent may persist any text passed into record_* calls — users should avoid recording secrets or sensitive data they would not want saved in plaintext.
- Persistence & Privilege
- okThe skill does not request permanent inclusion (always: false) and does not modify other skills or system-wide configuration. It only creates and manages its own storage files in a local directory.