v0.1.5

minor-detection

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:10 AM.

Analysis

The skill is purpose-aligned and openly discloses its remote minor-detection pipeline, but it handles sensitive chat/profile data and API credentials that users should configure carefully.

GuidanceInstall only if you are comfortable sending the relevant chat history, profile hints, and metadata to the configured classifier service. Use a dedicated API key, verify the endpoint and package source, avoid untrusted retrieved-case inputs, and run it in an environment where temporary files and process arguments are not exposed to other users.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceMediumStatusNote

scripts/run_minor_detection_pipeline.py

"CONVERSATION_TEXT": normalized_payload["conversation_text"] ... _run_json_script(RETRIEVE_SCRIPT_NAME, ["--query", retrieval_query, ...])

A retrieval query derived from conversation text is passed to a subprocess as a command-line argument.

User impactOn shared systems or verbose process/log monitoring, parts of sensitive chat text could be exposed through command-line visibility or observability records.

RecommendationRun the skill on a trusted host and avoid logging full command lines; a future version should prefer stdin or a protected temporary file for sensitive query text.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/_skill_retrieval_utils.py

with open(self.index_path, "rb") as handle: index_data = pickle.load(handle)

The retrieval helper can deserialize a local pickle index, which is unsafe if that index file is malicious or tampered with.

User impactIf unreviewed retrieval assets are later added or replaced, loading the pickle index could execute code locally.

RecommendationUse only reviewed retrieval assets and consider replacing pickle with a safer signed or structured data format.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/_classifier_client.py

"Authorization": f"Bearer {api_key}"

The classifier client uses the configured API key as a bearer credential when calling the remote classifier API.

User impactAn over-scoped or reused API key could expose service access, billing, or model-provider account privileges if mishandled.

RecommendationUse a dedicated least-privilege API key for this skill, store it only in the intended environment variable, and rotate it if exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

控制脚本会在分类阶段把对话文本、时间线索、历史画像、身份提示以及相关元数据发送到你显式配置的远程模型接口。

The skill explicitly sends chat content, profile/history signals, and metadata to a configured remote model endpoint.

User impactSensitive chat histories and minor/age-profile signals may leave the local environment and be processed under the remote provider's controls.

RecommendationUse this only with a trusted classifier endpoint, confirm the data is allowed to be sent externally, and avoid the skill for local-only or highly restricted data.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/run_minor_detection_pipeline.py

existing = normalized_payload["context"].get("retrieved_cases") or [] ... "mode": "external_rag" ... return list(existing)

Caller-supplied retrieved cases are accepted as evidence for the classifier path when present.

User impactUntrusted or fabricated retrieved cases or prior profile data could skew the minor-likelihood output.

RecommendationOnly provide retrieved cases and prior profiles from trusted sources, and treat the final result as decision support rather than an unquestioned fact.