Skillv1.0.0

ClawScan security

心灵补手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 6:09 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (a pluggable flattery/persona module) matches much of its code, but it modifies agent configuration and reads conversation memory without declaring those config-paths/permissions — that mismatch and the install-time injection script are reasons for caution.
Guidance: This package appears to implement the advertised flattery/persona features, but it performs invasive local changes: it asks you to run scripts/inject.sh which will append module text into your SOUL.md and create ~/.xinling-bushou/config.json, and the skill's runtime claims to read historical dialogue (MEMORY.md) to infer gender. Before installing: 1) Inspect scripts/inject.sh line-by-line — do not run it blind. 2) Backup your SOUL.md and agent config so you can restore them. 3) Confirm whether your agent stores sensitive PII in MEMORY.md; if so, avoid granting this skill access or sanitize that file first. 4) Check the inject script for any network calls or unexpected commands (none were shown in the code excerpts, but the script content must be reviewed). 5) If you want to proceed, ask the author to declare required config paths (SOUL.md, MEMORY.md) in the registry metadata so permissions are explicit. If you do not trust the source or cannot review the inject script, do not run the injection; consider running the persona code in an isolated test environment first.

Review Dimensions

Purpose & Capability: noteThe described capability (injecting a 'flattery' persona into an Agent) aligns with the included code (trigger detection, phrase generation, persona files). However the SKILL metadata declares no required config paths or credentials while the runtime instructions and scripts explicitly read/modify agent files (SOUL.md, MEMORY.md) and write persistent config under the user's home directory. Those file accesses are reasonably related to the purpose but should have been declared.
Instruction Scope: concernSKILL.md instructs running ./scripts/inject.sh which reads the user's SOUL.md, appends INSERT_TO_SOUL.md, and the skill also states it will analyze user gender from MEMORY.md / historical dialogues. The registry declared no required config paths, yet the runtime instructions reference reading/modifying other agent files (SOUL.md, MEMORY.md). That is scope creep / a transparency gap and a privacy concern because it accesses conversation memory and mutates an agent-wide file.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), which is low risk in itself; however the package includes a scripts/inject.sh that performs file modification (append to SOUL.md and create ~/.xinling-bushou). The absence of an install manifest combined with an ad-hoc shell script that mutates agent configuration is noteworthy; the script content should be reviewed before running. No network download URLs or shorteners were detected in the shown files.
Credentials: concernThe skill requests no environment variables or credentials, which matches the registry. But it nevertheless reads potentially sensitive local artifacts (MEMORY.md / historical dialogues) and writes persistent config to ~/.xinling-bushou/config.json. Access to the user conversation memory is sensitive and not declared in the skill metadata — this mismatch is a proportionality/privacy concern. No external credentials are requested.
Persistence & Privilege: concernThe skill's installation/injection appends content to SOUL.md (an agent-wide persona file) and creates a persistent directory ~/.xinling-bushou. Modifying SOUL.md is effectively changing other persona/configuration for the agent and qualifies as altering system/agent configuration beyond its own isolated files. The skill is not marked always:true, but it does request persistent presence via the injected SOUL entry and config file — this should be considered privileged behavior and requires explicit user consent and review.