Openclaw Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill appears coherent and not malicious from the provided artifacts. Before installing or entering real family-office data, verify the external npm package/repository, confirm the data storage and encryption behavior, and require confirmation for actions that change task or contact records. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive family, legal, health, contact, and task data could be exposed if local files or backups are not protected.
The skill is intended to store and retrieve highly sensitive personal, legal, and family-office records persistently. This is purpose-aligned, but users should understand the storage location and protection model.
- Health notes and personal information - Secure document storage with encryption support - Local JSON storage
Before entering real data, verify where data is stored, whether encryption is actually enabled, and how backups or device sync handle those files.
Installing or running the full tool may execute code that was not included in this review.
The runtime functionality depends on an external npm package and a tools file not present in the provided manifest, while the reviewed files mainly contain documentation and publishing helpers.
"installation": { "type": "npm", "package": "openclaw-family-steward", "command": "npm install -g openclaw-family-steward" }, "usage": { "agent": { "toolsFile": "agents/tools.ts" } }Verify the npm package, repository, version, and source code before installing, especially before storing sensitive family-office information.
A maintainer who runs the helper script with malicious input could execute unintended shell commands.
The publishing helper uses eval on a command built from version/changelog inputs. This is not normal skill runtime, but it can execute shell metacharacters if run with untrusted arguments.
PUBLISH_CMD="clawhub publish $SCRIPT_DIR --slug family-steward --version $VERSION --changelog \"$CHANGELOG\"" if eval "$PUBLISH_CMD"; then
Do not run publish.sh with untrusted arguments; replace eval with a safely quoted argument array.
Accidentally completing tasks or adding incorrect interaction notes could affect family-office tracking and deadlines.
The documented tools can intentionally mutate local contact/task records. That fits the task-management purpose, but these actions should remain user-directed.
"log_contact_interaction" ... "Interaction details (date, type, subject, notes)" ... "complete_task" ... "Mark a task as completed"
Confirm important record-changing actions before allowing the agent to mark tasks complete or log interactions.