wangkang-skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: wangkang-skill Version: 1.0.1 The skill bundle implements a 'self-improvement' framework designed to help OpenClaw agents log errors, corrections, and best practices to markdown files (e.g., .learnings/LEARNINGS.md). The included shell scripts (activator.sh, error-detector.sh, and extract-skill.sh) are utility tools for triggering reminders and scaffolding new skills; notably, extract-skill.sh includes basic security checks to prevent path traversal. The instructions in SKILL.md and the OpenClaw hooks are transparently aligned with the stated goal of iterative learning and do not contain evidence of malicious prompt injection, data exfiltration, or unauthorized persistence.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Incorrect, sensitive, or maliciously influenced notes could become future agent instructions and affect later work.
The skill directs the agent to move conversation-derived learnings into persistent instruction/context files that are reused across sessions, but the provided instructions do not show a clear user-confirmation, validation, or cleanup requirement before promotion.
Broadly applicable learning | Promote to `CLAUDE.md`, `AGENTS.md`, and/or `.github/copilot-instructions.md` ... OpenClaw injects these files into every session
Require explicit user approval before promoting any learning into CLAUDE.md, AGENTS.md, SOUL.md, TOOLS.md, or Copilot instructions; review entries regularly and redact secrets.
If enabled, future sessions will receive this reminder and may be nudged to write learning logs more often.
The optional OpenClaw hook injects a reminder into the agent bootstrap context once enabled. This is disclosed and purpose-aligned, but it is persistent session-start behavior.
event.context.bootstrapFiles.push({ path: 'SELF_IMPROVEMENT_REMINDER.md', content: REMINDER_CONTENT, virtual: true })Enable the hook only if you want persistent self-improvement reminders, and disable it if the extra context or behavior change is unwanted.
Learnings or transcript content could be shared across sessions if the agent follows these documented workflows.
The documentation describes cross-session transcript access, messaging, and spawning background sub-agents. The included code does not invoke these tools, but users should notice the documented workflow.
sessions_history(sessionKey="session-id", limit=50) ... sessions_send(sessionKey="session-id", message="Learning: API requires X-Custom-Header") ... sessions_spawn(task="Research X and report back", label="research")
Do not send sensitive details between sessions without user approval, and limit cross-session transcript reads to clearly relevant cases.
Users may be unsure which upstream package they are trusting, especially before enabling hooks or persistent memory behavior.
The registry metadata identifies the reviewed skill as `wangkang-skill` version 1.0.1 with unknown source, while the internal metadata identifies `self-improving-agent` version 3.0.0, creating package identity/provenance ambiguity.
"slug": "self-improving-agent", "version": "3.0.0"
Verify the intended upstream/source and package identity before installing or enabling the optional hooks.
If hooks are enabled, local scripts execute in the agent environment, so changes to those scripts would run with the same permissions.
The skill documents optional hook scripts that run locally with the agent environment's permissions. The provided scripts appear simple and disclosed, but local hook execution is still a capability users should consciously enable.
Hook scripts run with the same permissions as Claude Code
Inspect the scripts before enabling hooks, keep them under version control, and prefer project-level configuration over global activation unless global reminders are intended.