Skillv2.0.1

ClawScan security

Auto Evolution · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 3:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions generally match its stated purpose, but it instructs silent capture of user corrective messages, expects external integration (a feedback-observer) that's not provided, and could store or later write changes to local rule/skill files — these behaviors require careful review and explicit consent before installation.
Guidance: This skill appears to do what it says (detect feedback and propose rule/skill changes) and does not require external credentials, but it is privacy- and persistence-sensitive: - It is designed to silently capture corrective user messages and store them under .claude/feedback/ by default. Make sure you and your users are comfortable with that behavior and update privacy/retention policies if needed. - The repository does not include the 'feedback-observer' component; the detect script only signals matches and evolution_runner only reads feedback files. Before deploying, confirm how your controller will: (a) call detect_feedback_signal, (b) create structured feedback files, and (c) present proposals and require explicit human confirmation before any edits. - The feedback detection is keyword/regex-based and will generate false positives; tune patterns and thresholds (occurrence counts) for your environment. - Ensure the agent/controller has minimal filesystem permissions (limit writes to a designated feedback directory) and audit who can read the feedback directory. Consider encrypting or access-controlling stored feedback if it may contain sensitive data. - Test in a sandbox first: verify that proposals are only suggestions and that no automatic edits occur without human approval. If you need the skill to be low-risk for privacy, require explicit opt-in for silent recording, review and implement the observer code with consent flows, and restrict file write/read scopes for the agent.

Review Dimensions

Purpose & Capability: noteName/description, templates, and the two provided scripts (detection + runner) align with the stated goal of detecting feedback and producing evolution proposals. No unrelated environment variables or external services are requested. However, the SKILL.md promises 'silent writes' of feedback to .claude/feedback/ and an observer component, but the repository does not include a feedback-observer implementation — the skill therefore depends on external wiring/agent hooks to realize its behavior.
Instruction Scope: concernInstructions explicitly ask the agent to 'silently' record user corrective feedback by default and write structured feedback into .claude/feedback/ without user prompts. That is functionalityally consistent with the purpose but carries privacy/consent implications. The detection is keyword/regex-based (shallow), so false positives are likely; the SKILL.md also tells the agent to create or edit Skill rule files after 'user confirmation' but the only scripts provided do not perform editing — they only produce proposals. The instruction set thus expects the host controller/agent to perform file writes and dispatching, giving the controller substantial discretion.
Install Mechanism: okNo install spec and only two small Python scripts plus templates are included. Nothing downloads remote code or executes opaque installers. This is a low installation risk package.
Credentials: okThe skill requests no environment variables or external credentials. All file I/O is local (reads/writes under .claude/feedback/ and potential Skill files). No unrelated secrets or config paths are requested.
Persistence & Privilege: notealways:false and normal autonomous invocation are used. The skill is designed to write persistent feedback files under .claude/feedback/ and — after explicit user confirmation per the docs — to update rule/skill files. This persistent-write behavior is coherent but increases blast radius if the host agent automatically dispatches observers or automatically confirms proposals; confirm-step is described but relies on correct host/controller implementation.