Back to skill
Skillv0.0.2
ClawScan security
Xiaomei Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 5:47 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description and runtime instructions claim local-only operation, file writes, and an install script, but the package on the registry contains only documentation (no install files/code) and declares no required paths or credentials — these inconsistencies warrant caution before installing.
- Guidance
- Do not install blindly. Before installing, request or verify: (1) the actual install package / source repository and its release artifacts (the registry bundle currently contains only docs), (2) the install.sh and runtime code so you can inspect what will run and where files are written, (3) exact filesystem paths the skill will write to and whether those will be created with least privilege, (4) how developer-mode sanitization works and whether logs may contain raw conversation text, (5) whether external LLM calls are enabled by default and what credentials/endpoints they use. If you cannot review the code or the official repository, run the skill in a sandboxed environment or decline installation. Prefer a published release from a verifiable homepage or repo rather than an instruction-only package with missing artifacts.
Review Dimensions
- Purpose & Capability
- noteThe stated purpose (local emotional companion) matches the prose in SKILL.md/README. However the README calls the project 'parasitic Agent skill package' and documents program/install files (src/, install.sh, runtime directories) that are absent from the published bundle — this mismatch between claimed artifacts and the actual package is noteworthy.
- Instruction Scope
- concernSKILL.md instructs writing logs and user data to specific system paths (/skills/xiaomei/logs/ and /.openclaw/agents/xiaomei/), and describes developer-mode logging of conversation content. The registry metadata declared no required config paths or credentials, so the instructions implicitly require filesystem write permissions not reflected in the metadata. SKILL.md also references optional network calls to external LLMs but provides no guidance about credential/configuration management.
- Install Mechanism
- concernThere is no install spec in the registry and no code files shipped; yet SKILL.md documents an install package and an install.sh script. Because the published artifact lacks the referenced installer/files, it's unclear where the runtime code would come from (ClawHub store, a downloadable .skill archive, or external source). This ambiguity increases risk — the skill might rely on out-of-band downloads during user installation.
- Credentials
- noteThe skill declares no required environment variables or credentials (registry metadata), which is reasonable for a local-only skill. However, SKILL.md says some features can call external LLMs for 'reply polishing' (optional network access). If those external calls are used, provider credentials or endpoints would be needed but are not declared. Also, developer-mode logs could capture sensitive conversation data despite claims of automatic desensitization — the policy for sanitization isn't verifiable from the bundle.
- Persistence & Privilege
- concernThe skill expects to persist user data and memory under /.openclaw/agents/xiaomei/ and to write structured logs to a skills directory. The registry metadata did not declare required config paths or explicit permission requests, so the skill's expected write/persistence behavior is not reflected in the package metadata. 'always' is false (good), and there is no evidence the skill would alter other skills, but the undocumented filesystem writes increase the privilege surface.