ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Self Improvement

v0.1.0

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

0· 57·0 current·0 all-time
by@zhihongyee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (capture learnings/errors and promote to project memory) matches the instructions: create a .learnings/ folder and append structured markdown entries. It does not request unrelated credentials or binaries.
Instruction Scope
Instructions are narrowly focused on creating and appending to files under .learnings/ and promoting entries to project files (CLAUDE.md, AGENTS.md, .github/copilot-instructions.md, etc.). This is within purpose, but promotion steps imply writing to shared repository files and possibly exposing logged content to contributors — review/sanitization guidance would be prudent.
Install Mechanism
No registry install spec is embedded in the skill bundle (instruction-only). SKILL.md includes an example npx install command for convenience; that is informational and not enforced by the skill metadata. No downloads/executables are installed by the skill itself.
Credentials
The skill requests no environment variables, no credentials, and no config paths. There are no opaque secret requirements inconsistent with its stated purpose.
Persistence & Privilege
always:false (default) and model invocation is allowed (normal). The skill writes files inside the project workspace (.learnings and promoted docs) which is consistent with its goal; it does not request system-wide persistence or modify other skills.
Scan Findings in Context
[no-findings] expected: Regex scanner had no code files to analyze because this is an instruction-only skill (only SKILL.md). No suspicious patterns were detected in metadata.
Assessment
This skill is coherent and appears to do what it says: log learnings and errors to markdown files. Before installing, consider these precautions: (1) Decide whether .learnings/ should be in source control — add it to .gitignore if you do not want logs in your repo history. (2) Ensure the agent or CI does not log secrets, PII, or credentials into these files; add redaction or sanitization steps to any automated logging. (3) Be cautious about the 'promote to project memory' guidance because that writes to shared files (CLAUDE.md, AGENTS.md, etc.); require human review before promotion. (4) The SKILL.md shows an npx install command — only run it if you trust the upstream package name/owner. (5) If you want tighter control, restrict which contexts or users can invoke this skill, and add obvious markers for sensitive entries so they are not published automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk972fy56d7m9afhwjdsshq3cmx83c826

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments