Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Retrospect
v1.4.0Session retrospective that analyzes conversation history to produce structured feedback for both user and LLM. Use this skill whenever the user says '复盘', 'r...
⭐ 0· 54·0 current·0 all-time
byzhangbc@zbc0315
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description: retrospective on conversation history for a project. The packaged Node parser and SKILL.md are consistent with that goal, but the parser also scans global session directories (~/.codex/sessions and OpenCode session paths) in addition to the project-specific Claude path. That global scan is not justified by the 'project' framing and is broader than a user would reasonably expect.
Instruction Scope
Runtime instructions tell the agent to run the bundled parser against the current working directory and then spawn a subagent with the full transcript. The parser reads session files from multiple home-directory locations (Claude, Codex, OpenCode) and will merge them into one transcript. This collects potentially unrelated session data and then passes the full transcript to another agent — increasing risk of sensitive data exposure. The SKILL.md claims the parser will find 'all session JSONL files for this project' but the code will include whole ~/.codex and opencode session folders without project filtering.
Install Mechanism
No install spec — instruction-only with a bundled script. No remote downloads or package installs are performed by the skill itself, which reduces supply-chain risk.
Credentials
The skill declares no required env vars, but its SKILL.md uses ${CLAUDE_SKILL_DIR} (not declared) to locate the script. More importantly, the parser inspects files in the user's home directories (e.g., ~/.claude, ~/.codex, OpenCode session dirs) and will process any session logs found there. Requesting no credentials is appropriate, but reading broad home-directory session logs is disproportionate to a strictly project-scoped retrospective and could expose unrelated or sensitive conversations.
Persistence & Privilege
always:false (no forced installation) and no system config changes. The skill writes a transcript to /tmp and the resulting feedback files to the project root, and instructs launching a subagent. Autonomous invocation is allowed (platform default) — combined with the broad file-read scope this increases blast radius, but there is no persistent/system-level privilege escalation requested.
What to consider before installing
This skill purposefully collects conversation logs and runs an analysis subagent. Before installing or invoking it, consider: (1) It scans global session folders (~/.codex/sessions and OpenCode session paths) in addition to project-specific Claude paths — it may include transcripts from other projects or sessions you didn't intend to share. (2) It spawns a subagent and passes the full merged transcript to that agent — review whether you want those transcripts handed to another agent/process. (3) The SKILL.md references ${CLAUDE_SKILL_DIR} though no env var is declared; verify your runtime supplies it. Recommended actions: inspect scripts/parse_session.js yourself (it is included), run the parser manually in a safe environment to see what files it finds, or modify the script to restrict scanning to only the intended project paths before allowing it to launch any subagent. If your session logs contain secrets or sensitive info, avoid running this skill until you confirm it will only read the intended files.Like a lobster shell, security has layers — review code before you run it.
latestvk97b2r32cs4m5v4bgrxgmg552n84c7mv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode