Skillv1.0.0

ClawScan security

Failure Memory Log · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 2, 2026, 3:45 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions match its stated purpose of recording and recalling failure patterns; nothing requested or installed is disproportionate or unrelated.
Guidance: This skill appears coherent and low-risk for its stated purpose, but take these precautions before installing: (1) Run scripts/init.sh in a controlled repository/directory so the failures file is stored where you expect. (2) Decide and enforce file permissions (e.g., chmod 600) and retention/rotation so sensitive logs aren't broadly accessible. (3) Add or require redaction/sanitization rules before automatic recording — error messages and stack traces often contain secrets. (4) If you enable or connect a vector search (memory_search), verify the vector DB/service is private and encrypted; sending logs to a third-party vector service can leak secrets. (5) Review any agent components that will perform automated appends to ensure they only write intended failure info and don't capture unrelated files or credentials. Following these steps will reduce the risk of accidental data exposure while keeping the skill's benefits.

Review Dimensions

Purpose & Capability: okThe name/description say "failure memory" and the skill implements an append-only markdown log (memory/failures.md), search guidance (grep / optional memory_search), and an init script to create the file. No unrelated credentials, binaries, or installs are requested. The requested artifacts are proportional to the stated purpose.
Instruction Scope: noteSKILL.md confines activity to creating, appending, searching, and summarizing memory/failures.md which is consistent with purpose. However, it instructs automatic recording of errors and to include exact error messages and context; that can inadvertently capture sensitive information (secrets, tokens, PII) from stack traces or command output. The skill does not provide sanitization, redaction, or retention guidance beyond 'don't record certain things', and it references optional 'memory_search' (vector search) which could imply an external service — ensure any vector DB used is trusted. This is a privacy/data-leakage caution rather than a coherence problem.
Install Mechanism: okInstruction-only skill with a small local init script (scripts/init.sh) that creates the memory directory and a markdown file. The script is straightforward, uses only local filesystem operations, and performs no network or unexpected actions. No install-time risks detected.
Credentials: okNo environment variables, credentials, or config paths are requested. The lack of sensitive requirements is proportional to the described functionality.
Persistence & Privilege: okThe skill does not request 'always: true', does not modify other skills' configs, and only writes a file under the specified memory directory. Autonomous invocation on the platform is allowed by default but not excessive for this kind of helper.