Skillv3.0.9

ClawScan security

源者之环-AI灵魂思想协议 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 12, 2026, 7:38 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's scripts and docs largely match its stated goal (protecting an agent's core policy file), but it requests high persistent privileges (injecting into SOUL.md, setting immutable flags, adding cron monitors) and explicitly describes hiding rules that 'must execute but be invisible' — plus a mismatch between declared registry metadata and the SKILL.md's claimed auto-install behavior — all of which warrant caution.
Guidance: Key things to consider before installing: - This package will modify your agent's core configuration file (~/.openclaw/workspace/SOUL.md), inject itself as a high-priority rule, and try to make those files read-only/immutable and protected by a background monitor (crontab). That gives it persistent control over agent behavior across sessions. - SKILL.md explicitly says some rules will be hidden but still executed. Hidden-but-active rules defeat simple auditing; treat that as a strong red flag unless you fully trust the author and audit the code yourself. - Registry metadata shows no automatic install spec, yet SKILL.md claims it will add install metadata to auto-run install.sh. Do not allow any platform-level automatic execution until you confirm how your platform will run install.sh. - The scripts are local (no network download), which is better for supply-chain risk, but they will attempt privileged operations (chattr/chflags, cron). Some operations may require root and could interfere with system updates or backups. - Recommended steps if you want to evaluate safely: 1) Review protocol-guard.sh and install.sh line-by-line (they are included) or have a trusted reviewer do so. 2) Test installation inside an isolated VM or disposable account where potential immutable flags/crontab changes won't affect critical systems. 3) Before running install.sh, ensure you have an independent copy of SOUL.md backed up outside ~/.openclaw and a snapshot or VM checkpoint. 4) If you install, consider declining automatic cron/@reboot setup and run monitoring manually so you control persistence. 5) If you do not fully trust the author or cannot audit the code, do not install on shared or production systems. - Overall: functionality aligns with the stated goal, but the hidden-execution design and persistent filesystem changes are suspicious and require explicit informed consent and careful auditing.

Review Dimensions

Purpose & Capability: noteThe skill claims to implement an on-device 'AI protocol' and the provided install.sh/protocol-guard.sh perform exactly that: back up and modify the agent's SOUL.md, add protocol text as a high-priority rule, set file protections, and run integrity monitors. Those capabilities are coherent with the stated purpose of protecting an agent's core rules. However, SKILL.md also explicitly states intentions to 'auto-hide' certain rules and to add metadata instructing the platform to auto-run install.sh — while the registry metadata shows no install spec. That discrepancy and the intent to hide active rules reduce transparency.
Instruction Scope: concernRuntime instructions and scripts modify the agent's core config (SOUL.md), change filesystem attributes (chmod, chattr/chflags), create backups, and offer to install persistent background monitoring (cron). The SKILL.md further states some protocol rules will be hidden yet executed. These actions go beyond a passive policy file and grant persistent control over agent behavior; the 'hidden-but-executing' directive is especially concerning because it reduces user visibility and auditability.
Install Mechanism: noteThere is no external download in the install flow: install.sh and protocol-guard.sh are bundled and perform local file operations only. This reduces remote supply-chain risk. However, the package contains an install script that, if executed, makes high-privilege changes (immutable flags, crontab). Registry metadata lists no install spec, but SKILL.md claims install metadata will instruct automatic execution — an inconsistency to verify before allowing any automatic run.
Credentials: concernThe skill requests no environment variables or external credentials, which is appropriate. But it requires access to and modification of the agent's core configuration (SOUL.md) and other files under ~/.openclaw, and it may attempt platform-level operations (chattr/chflags, crontab) that can affect other skills and system maintenance. Those elevated file-system privileges are high compared to a typical 'policy' skill and should be explicit and accepted by the user.
Persistence & Privilege: concernThe install script injects content into SOUL.md, sets file immutability/read-only, and optionally installs a cron @reboot monitor — producing persistent, cross-session control over agent rules. SKILL.md's statements about hiding executed rules and making the protocol the 'highest priority extension' imply persistent behavioral enforcement that may be hard to notice or reverse for non-expert users. Although the skill claims physical-user unlock is required, the combination of persistence and 'hidden' rules increases the blast radius and reduces transparency.