Back to skill
Skillv1.0.0
ClawScan security
agent resilience · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 11:03 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions match its stated goal (durable session memory/WAL), but it instructs the agent to persist and read conversational data and unspecified notes/logs — behavior that can capture sensitive information and reach beyond the declared scope.
- Guidance
- This skill is internally coherent for 'durable memory' behavior but it will persist and read conversational content and may consult other notes/logs. Before installing or enabling it, decide where the memory files will live and who/what can read them. Recommended safeguards: - Restrict the memory directory to a controlled, access-restricted path (not a system or home directory with broad access). - Add filtering or redaction steps before writing to files to avoid storing secrets, credentials, or PII. - Clarify what 'today's + yesterday's daily notes' means in your environment or remove that step if you don't want the agent to scan other files. - Disable or review any 'spawn sub-agent' behavior; limit network access for spawned agents if possible. - Audit memory/working-buffer files regularly and set a retention policy (automatic expiry or manual review). If you cannot enforce those constraints in your agent runtime, treat this skill as higher risk and consider not enabling it.
Review Dimensions
- Purpose & Capability
- okName and description (agent resilience, WAL, working buffers, compaction) align with the instructions: writing session state, maintaining a working buffer, compaction/recovery, and verification steps. The files and protocols the SKILL.md defines are coherent with the stated purpose.
- Instruction Scope
- concernThe runtime instructions tell the agent to write persistent files (memory/SESSION-STATE.md and memory/working-buffer.md) and to log every exchange when 'context reaches ~60%'. They also instruct reading 'today's + yesterday's daily notes', 'grep logs for past successes', and 'spawn a research sub-agent'. Those steps can cause the agent to read/write broader user files or logs and to create sub-agents that may access more resources. This increases the risk of capturing PII, secrets, or other sensitive data and of the agent accessing files outside a narrowly-scoped memory directory.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer; only the agent's runtime behavior (file read/write) is relevant.
- Credentials
- noteThe skill requests no environment variables or external credentials (proportionate). However, the SKILL.md implicitly expects access to local notes and logs (unspecified locations). That implicit file access is not declared in requires.env or config paths and may require or result in access to unrelated files.
- Persistence & Privilege
- noteThe skill does not set always:true and requests no special platform privileges, but it explicitly instructs persistent storage of conversational content in memory/*.md. Persistent logging of interactions increases the blast radius (longer retention of captured data) and should be considered a privileged behavior even without explicit platform-level flags.