Skillv2.0.15

ClawScan security

Agent Memento · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 10:01 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, scripts, and runtime instructions are consistent with its stated purpose (a tick-driven autonomous agent framework), but it performs high‑risk actions (arbitrary command execution, automated git rollbacks, optional HTTP preview, npm installs) so you must run it only in an isolated environment and review plans before allowing it to run.
Guidance: This skill is consistent with its stated purpose but performs powerful, potentially destructive actions. Before installing or initializing: - Do NOT run init or start the Tick engine in a directory that contains valuable, uncommitted, or secret files. The framework intentionally performs automated git checkout/stash/cleanup which can overwrite or stash local work. - Run everything inside an isolated VM, container, or throwaway repo. Treat the project as ephemeral until you’ve validated behavior. - Inspect every MASTER_PLAN.md verify command before allowing the Tick worker to run; these verify commands are executed verbatim and can run any shell command. - If you enable the dashboard --enable-preview flag, be aware it will serve your project directory over HTTP; do not enable it for directories that contain secrets or private keys. - Be prepared for npm installs (dashboard uses puppeteer which downloads browser binaries). Audit dependencies if you require stricter supply-chain controls. - Review scripts/init_memento.sh and scripts/memento_tick.sh and test them manually in a sandbox to confirm they match your safety expectations (check the cleanup/stash behavior and any use of env variables or network access). If you want to proceed, clone the skill into an isolated machine, run init in a disposable git repo, back up anything important, and monitor the first few ticks manually before adding a cron job.

Review Dimensions

Purpose & Capability: okName/description match the delivered artifacts: scripts to scaffold projects, a Tick engine (memento_tick.sh), a dashboard (Node/Express), system prompts, and templates. Declared required binaries (bash, openclaw, node, npm, git) are appropriate for the stated functionality; there are no unrelated credentials or surprising external services requested.
Instruction Scope: concernRuntime instructions and scripts explicitly run arbitrary 'verify' shell commands defined in MASTER_PLAN.md and allow the Tick worker to modify files, auto-commit, and perform multi-phase git rollback/stash operations. The dashboard chat and system prompts instruct autonomous behavior (e.g., 'DO NOT pause or stop unless explicitly told'), and the Tick worker will run on cron. These behaviors are coherent with the purpose but are high risk because arbitrary commands in MASTER_PLAN.md can execute anything in the project environment and the rollback logic can overwrite or stash local work.
Install Mechanism: noteNo explicit install spec in registry metadata (instruction-only), but included code expects npm installs when starting the dashboard (start_daemon.sh triggers npm install). Dependencies include puppeteer which downloads browser binaries and can be large. No downloads from untrusted URLs are present; installs are via npm (public registry).
Credentials: concernThe skill does not request secrets or environment variables (primaryEnv none), and the code attempts to limit child processes' environments (it clears env and passes minimal PATH). However, because the system executes arbitrary verify commands (shell) and can optionally mount/serve the entire project directory via /preview, it can read/expose any files placed in the project. That makes running this skill in repositories containing secrets or important unbacked data disproportionate to safe usage.
Persistence & Privilege: concernalways:false (good) and autonomous invocation is expected here (cron). Still, the skill autonomously runs on a schedule, performs commits, and executes destructive cleanup (git checkout, stash, git clean semantics). This persistent, autonomous capability combined with write/delete operations increases risk of accidental data loss or unintended side effects if used outside an isolated sandbox.