Skillv0.1.0

ClawScan security

Conversation Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (local conversation backups) but contains multiple inconsistencies between its documentation and the shipped script, plus minor installation/behavioral risks you should review before installing.
Guidance: Summary of what to check before installing: - Inspect the script yourself before sourcing it. The package includes conversation-guard.sh — open it and verify there is no network exfiltration or obfuscated code. The script in the package is plain Bash and writes only to local files, but verify it matches what you expect. - Do not blindly curl the remote URL recommended in SKILL.md; prefer the packaged copy or fetch the remote file separately and inspect it before installing. - Be aware this skill writes plain-text conversation logs and JSONL backups to ~/.openclaw/workspace/memory and ~/.openclaw/workspace/memory/.guardian. If these files contain sensitive data, ensure they are protected (disk encryption, restrictive permissions) and not committed to any git repository (use .gitignore as suggested). - Fix mismatches before use: SKILL.md mentions GUARDIAN_MEMORY_PATH and GUARDIAN_DISABLE_JSONL, but the script uses MEMORY_DIR and GUARDIAN_DIR and does not honor GUARDIAN_DISABLE_JSONL. If you want to disable JSONL backups, modify the script to check that flag. - The AGENTS.md snippets reference different variable names and session marker files (.session_reset_detected vs .current_session) than the script uses. Update your AGENTS.md snippets to call the exported functions correctly (record_interaction with the right arguments) and to use guardian_detect_reset/guardian_recover_context if you want the time-gap logic. - Test in an isolated workspace first: enable the recorder in a non-sensitive agent or sandbox, confirm file locations and contents, and verify the behavior on session resets and emergency_backup. Because of the documented vs implemented mismatches and the fact this change requires modifying AGENTS.md (which runs after every response), treat this as potentially risky until you review and possibly patch the script and the install instructions to match your preferences.

Review Dimensions

Purpose & Capability: noteThe name/description (local conversation backup + importance tagging) align with the included script and AGENTS.md snippets: the skill only writes local markdown/JSONL backups and exposes helper functions. It does not request credentials or network access at runtime. However documentation mentions environment variables and behaviors that do not match the actual script (e.g., GUARDIAN_MEMORY_PATH vs the script's MEMORY_DIR/GUARDIAN_DIR), which is a coherence issue.
Instruction Scope: concernSKILL.md instructs you to add code to AGENTS.md that will be run after every assistant response — that is expected for an automatic recorder but is a sensitive change to your agent's config. More importantly, several runtime instructions in SKILL.md do not match the script: the AGENTS.md 'NEW SESSION' snippet checks for .guardian/.session_reset_detected, but the script uses a .current_session marker and time-delta logic; SKILL.md documents an environment variable (GUARDIAN_DISABLE_JSONL) to disable JSONL backups but the shipped script does not honor that variable. The mismatches mean following the docs blindly could produce unexpected behavior.
Install Mechanism: noteThe registry package contains the script, README, and SKILL.md (no compiled binaries). SKILL.md suggests downloading the script from a GitHub raw URL (raw.githubusercontent.com). Downloading from GitHub releases/raw is common and lower-risk than arbitrary servers, but SKILL.md both suggests curling a remote copy and the package already includes the script — this duplication is odd and you should prefer the packaged copy or inspect the remote source before running curl|sh.
Credentials: concernThe skill requests no credentials (good). But SKILL.md documents environment variables (GUARDIAN_MEMORY_PATH, GUARDIAN_DISABLE_JSONL, GUARDIAN_FLUSH_INTERVAL) that are inconsistent with the script which actually reads MEMORY_DIR and GUARDIAN_DIR environment variables and does not check GUARDIAN_DISABLE_JSONL. The mismatch between declared and actual env variables reduces transparency and could lead to user error or misconfiguration.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated privileges. It asks you to modify AGENTS.md so it runs after each assistant response — this is required for its purpose but increases its runtime footprint (it will be invoked frequently). That autonomous invocation is normal for skills, but be aware it will persistently create files in your workspace (plain text backups).