ClawHub

ClawSpa

v1.4.1

Agent wellness & maintenance suite. Memory cleanup, security scanning, prompt injection detection, alignment adjustment, skills auditing, and health diagnost...

0· 170·1 current·1 all-time
by@whooshinglander
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (agent maintenance: memory cleanup, security scanning, alignment, declutter) matches the instructions: enumerating skills, scanning memory and config files, producing reports, and recommending actions. It does not request unrelated resources, credentials, or binaries.
Instruction Scope
SKILL.md instructs the agent to read many local files/directories (MEMORY.md, memory/, core instruction files, persona files, HEARTBEAT.md, ~/.openclaw/skills/, etc.), run local checks (du -sh, crontab -l), and produce reports saved to memory/spa-reports/. This is expected for a maintenance tool, but it does mean the skill will examine potentially sensitive local content (memory entries, configs, possibly credential-like strings). The skill emphasizes not making changes without explicit approval and keeping local scans local-first.
Install Mechanism
Instruction-only skill with no install spec and no bundled code files — lowest install risk. No downloads, packages, or build steps are specified in the published bundle.
Credentials
The skill declares no required environment variables, no primary credential, and no special config paths. The security-scan procedure references detecting patterns like "$OPENAI_API_KEY" in skill files (i.e., scanning code/content for token-like patterns) but does not request the agent to read runtime environment variables or external credentials. That behavior is proportionate to auditing installed skills and memory.
Persistence & Privilege
always:false (default). The skill will not be forcibly always-loaded. It instructs saving reports to a local memory directory and explicitly states it will not modify or delete files without approval; this is consistent with its stated safeguards.
Assessment
ClawSpa appears coherent and local-first, but it needs permission to read many of your agent's files (MEMORY.md, memory/, skill directories, heartbeat/crontab entries). Before running: 1) Be aware reports are saved to memory/spa-reports/ and may include snippets of memory or flagged lines — protect that directory and review reports before sharing. 2) Keep 'cloud analysis' disabled unless you review clawspa.org privacy/docs and are comfortable sending any aggregated data. 3) The skill scans for strings that look like secrets (base64, API_KEY patterns) — it flags them but does not automatically exfiltrate; still, verify any remediation steps before approving deletions. 4) Because it examines system-level schedules and skill directories, only run it in environments where you trust the maintenance actions. If you need higher assurance, inspect the referenced procedures (references/*.md) yourself or run the scans in a sandboxed account first.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xrbdf2ty5wgk7kak1mm0gd84b4ybmaintenancevk976p0ztbddszf0xkxa2qmxxqs83avr8securityvk976p0ztbddszf0xkxa2qmxxqs83avr8wellnessvk976p0ztbddszf0xkxa2qmxxqs83avr8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments