ClawHub
Back to skill
v3.2.5

Clawhub Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:53 AM.

Analysis

The skill appears to be a real local memory engine, but it grants persistent memory authority and includes under-disclosed command execution, local file handling, and optional cloud/credential paths that deserve careful review.

GuidanceReview this skill carefully before installing. It may be useful if you want a local long-term memory service, but avoid storing secrets until you understand where the data lives, how to stop the service, how to delete memories, whether external LLM providers are enabled, and whether any CLI backend or file-reading feature is configured.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityHighConfidenceHighStatusConcern
cc-soul/cli.js
const proc = spawn(aiConfig.cli_command, [...aiConfig.cli_args, prompt], {

The code can execute an arbitrary configured CLI command and pass the prompt to it. The main docs describe optional OpenAI-compatible API configuration, not this broader local command backend.

User impactIf this backend is enabled or misconfigured, prompts and possibly recalled context could be handed to a local command outside the normal memory API path.
RecommendationOnly enable a CLI backend if you intentionally configured the exact command; prefer a bounded API backend and review any `ai_config` fields before use.
Tool Misuse and Exploitation
SeverityHighConfidenceMediumStatusConcern
src/context-prep.ts
.map(p => p.startsWith('~/') ? p.replace('~', process.env.HOME || '') : p)

The static scan also reports `readFileSync` in this context-prep path. Expanding `~/` paths from collected paths indicates local file access that is not clearly scoped in the user-facing documentation.

User impactSensitive local files could be incorporated into agent context or memory if the skill processes referenced paths without clear approval and path restrictions.
RecommendationDo not reference private file paths unless you intend them to be read; the skill should document allowed paths, prompts for approval, and whether file contents can be stored or sent to an LLM.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
README.md
100% local memory. Zero cloud upload. Zero telemetry. ... LLM Rerank — NAM recalls 4x candidates, LLM picks the most relevant ones

The documentation makes strong zero-cloud claims while also describing optional cloud-compatible LLM providers that may process queries or recalled candidates.

User impactUsers may believe no data can ever leave the device, even though enabling an external LLM provider can involve sending prompts or memory-derived context to that provider.
RecommendationTreat the zero-cloud claim as applying only when no external LLM provider is configured; use a local provider if you require local-only processing.
Rogue Agents
SeverityMediumConfidenceHighStatusConcern
README.md
API starts at localhost:18800 ... every minute: memory decay ... every 6h: L1→L2 topic clustering ... every 12h: L2→L3 mental model

The skill starts a persistent local service with recurring background work that continues beyond a single user request.

User impactThe memory engine can keep running and changing stored memory state in the background after installation.
RecommendationInstall only if you want a long-running memory service; know how to stop it, where it stores data, and how to clear its database.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceMediumStatusConcern
SKILL.md
npm install @cc-soul/openclaw
# API auto-starts at localhost:18800

The skill asks users to install an npm package and auto-start a service, while the registry section says there is no install spec for this skill.

User impactInstallation has runtime side effects that may not be captured by the registry’s declared install contract.
RecommendationReview the npm package source and install scripts before installing, and prefer a pinned version with a clearly declared install mechanism.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
"api_key": "your-key-here"

The optional LLM configuration uses a provider API key stored in `~/.cc-soul/data/ai_config.json`; this is expected for the integration but is not declared as a registry credential.

User impactA provider API key could be used for paid LLM requests if configured.
RecommendationUse a least-privilege key, monitor usage, and do not store high-value credentials in this config unless you trust the local file permissions and code path.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Base URL: `http://localhost:18800` ... `POST /memories` ... `POST /search`

The skill exposes memory storage and search over a local HTTP API, and the examples show no authentication, origin checks, or caller boundary.

User impactOther local processes or integrations may be able to store or retrieve sensitive memories if they can reach the local service.
RecommendationRun the service only on trusted machines, restrict localhost access where possible, and look for authentication or caller controls before storing sensitive data.
Memory and Context Poisoning
SeverityHighConfidenceHighStatusConcern
README.md
cc-soul builds a word association network from your conversations... Every message updates word co-occurrence statistics

The system persistently learns from conversations and reuses that data for recall, persona selection, emotion tracking, and future context.

User impactPrivate details, emotions, preferences, and inaccurate or maliciously phrased memories can persist and influence future agent responses.
RecommendationAvoid storing secrets or sensitive personal data unless you trust the implementation; look for delete/export/retention controls and treat retrieved memories as untrusted context.