Skillv1.0.0

ClawScan security

Auto Skill Evolver 1.5.1 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 14, 2026, 12:59 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior (autonomously editing other skill files and spawning local agents/commands) is coherent with its stated purpose but contains deployment/metadata inconsistencies and powerful write/run capabilities that warrant caution before installing or using without human review.
Guidance: This tool is powerful and mostly coherent with its stated purpose, but take these precautions before using it: 1) Prefer running in interactive mode so each proposed change must be approved; never run with unattended approval tokens unless you fully trust the environment. 2) Verify the OpenClaw CLI dependency is installed and declared (SKILL.md mentions it but registry metadata didn't list required binaries). 3) Inspect the included scripts (especially optimize_skill.py and any code that invokes openclaw or launches subprocesses) and run them in a sandbox or throwaway environment first. 4) Note the ownerId mismatch in _meta.json vs registry metadata — confirm the package source. 5) Back up skill directories (or use the provided .skill_versions) before applying proposals. 6) If you want lower risk, run the optimizer on a copy of the skill directory, enable all safety checks, and keep interactive review on so a human must accept any diff that introduces network calls or system-level commands.

Review Dimensions

Purpose & Capability: concernThe skill claims to use the local OpenClaw CLI and to evolve other skills (which legitimately requires read/write access to SKILL.md files and running subprocesses). However, the registry metadata shows no required binaries while SKILL.md frontmatter and README explicitly require 'openclaw' in PATH — an inconsistency. Additionally _meta.json ownerId differs from the registry ownerId, which could indicate repackaging or metadata drift.
Instruction Scope: concernRuntime instructions and code allow the tool to read execution traces, spawn a local sub-agent, build proposals, and atomically rewrite SKILL.md files across the skills root. This is functionally consistent but high-impact: it can modify arbitrary skills under the skills root and run user-supplied agent commands. The package includes explicit warnings and several defensive checks (permission checks, frontmatter protection, approval tokens), but if run non-interactively or with an approval token the agent could apply changes without human review.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces supply-chain risk from remote installers. But the package contains multiple Python scripts delivered as part of the skill bundle; those will be written to disk when the skill is installed/used. No external download URLs or package installs are present.
Credentials: okThe skill declares no required environment variables or credentials (primary credential: none). The code reads environment variables only for harmless purposes (e.g., USERNAME on Windows for file permission commands). There are no hardcoded external API keys or remote endpoint secrets requested.
Persistence & Privilege: noteThe skill does not set always:true and uses normal, local file operations (.skill_versions, .secure_workspace). It writes backups and proposals in the target skill's directory and creates secure workspace directories; that behavior is expected for a self-modifying tool but grants persistent filesystem presence and the ability to alter other skill files under the skills root.