Skillv1.0.0

ClawScan security

Ai Persona Os.Bak · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 23, 2026, 3:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (a workspace / persona OS) but contains metadata inconsistencies and a runtime instruction pattern (forced verbatim outputs + repeated use of exec to run shell commands) that merit caution before installing.
Guidance: Things to check before installing or approving commands: 1. Verify metadata and provenance: confirm the publisher/owner and version (registry metadata vs SKILL.md/_meta.json mismatch). Ask the author or registry for clarification if you care about provenance. 2. Inspect the scripts locally (e.g., scripts/security-audit.sh and cron templates) before allowing the agent to exec them. Look for any network calls (curl, wget, nc), eval/exec patterns, or commands that touch paths outside ~/workspace. 3. When the skill asks to run commands via exec, review each exec approval carefully. The skill instructs the agent to run many ops automatically (zero-terminal). Approve only the specific commands you inspected. 4. If you plan to enable optional gateway/cron features, be aware they may require DISCORD_TOKEN/SLACK_TOKEN or the openclaw CLI; only provide those after confirming exactly what will be done and where tokens will be used. 5. Run the included security-audit script yourself first (in a safe environment) to confirm it behaves as claimed (local grep-only checks). Given the coherent purpose but packaging/metadata inconsistencies and the runtime pattern of agent-driven exec, proceed with caution and manual inspection before granting execution approval.

Review Dimensions

Purpose & Capability: noteThe files, templates, and included scripts align with a 'persona OS' that bootstraps ~/workspace. Required binaries are standard Unix tools and there are no declared required credentials. However, package/registry metadata is inconsistent with embedded metadata: the top-level registry lists version 1.0.0 and ownerId A, while SKILL.md/_meta.json use version 1.6.2 and a different ownerId. The skill's public name 'Ai Persona Os.Bak' vs SKILL.md 'ai-persona-os' is also inconsistent. These mismatches could be an innocuous packaging oversight but should be verified with the publisher.
Instruction Scope: concernSKILL.md explicitly instructs the agent to run shell commands via the exec tool (never tell the user to open a terminal) and to output exact verbatim menus. The core flow is restricted to ~/workspace and cron/gateway changes are marked 'opt-in', which is good. Still, the insistence on verbatim outputs and agent-driven exec for every step increases the chance of repeated automatic shell operations if the user approves them without review. There are several included helper scripts (scripts/security-audit.sh and cron templates) — you should inspect those scripts before approving any exec runs. The instructions claim 'no network activity' for core setup; verify this by reviewing all scripts before execution.
Install Mechanism: okNo install spec is provided and the skill is primarily instruction/templates plus a few local shell scripts. That limits arbitrary remote install behavior. The presence of shell scripts means files will be executed if the agent runs them, but nothing in the package indicates it will download or extract remote code during core setup.
Credentials: okThe skill requires no environment variables; optional metadata lists DISCORD_TOKEN and SLACK_TOKEN only for gateway features, which matches the described optional channel integration. There are no unexplained credential requests in requires.env or in SKILL.md.
Persistence & Privilege: okalways: false (not force-included) and disable-model-invocation false (normal autonomous invocation). The skill writes/creates files under ~/workspace by design; SKILL.md explicitly constrains file operations to that directory. No evidence it modifies other skills or system-wide agent settings.