Back to skill
Skillv1.0.0
ClawScan security
Seamless Restart · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 11, 2026, 7:13 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions match its stated purpose (coordinating a restart + recovery), but they ask the agent to persist and later act on workspace state (NOW.md) and to schedule recovery jobs without guidance on sanitization or confirmation — these behaviors could lead to accidental data leaks or unintended automated actions.
- Guidance
- This protocol is coherent with its goal (ensuring the agent notifies users and restores context after a gateway restart) but carries two practical risks you should consider before installing: (1) NOW.md is a persistent workspace file — do not put API keys, passwords, or other secrets in it; add explicit redaction or encryption steps if you plan to store sensitive context. (2) The recovery cron automatically instructs the agent to 'resume' tasks from NOW.md; decide whether resumed tasks should require explicit user confirmation (recommended for any operation that performs actions, accesses services, or could change external state). Additional mitigations: restrict write access to NOW.md to trusted principals, limit cron payload visibility/logging, set short lifetimes for scheduled recovery jobs, and add explicit sanitization steps in the protocol (remove secrets, redact tokens, require user approval before resuming critical tasks). If you cannot control who can edit workspace files or you need strong protection for secrets, treat this skill as higher-risk and avoid automatic resumption.
- Findings
[no_code_files_to_scan] expected: The regex-based scanner had no code files to analyze; this is expected for an instruction-only SKILL.md. Lack of findings is not evidence of safety — the SKILL.md content is the primary surface to review.
Review Dimensions
- Purpose & Capability
- okName, description, and runtime instructions are consistent: the skill is an instruction-only protocol for saving state, notifying the user, scheduling a recovery job, and invoking a gateway restart. No unrelated binaries, env vars, or installs are requested.
- Instruction Scope
- concernThe SKILL.md instructs the agent to write and later read NOW.md in the workspace root and to 'resume any active tasks' after restart. Persisting conversation context and task lists is coherent with the purpose, but the instructions do not: (1) warn against storing secrets in NOW.md; (2) constrain what 'resuming' means (could trigger network actions, credentials use, or side effects); or (3) require user confirmation before resuming potentially sensitive or destructive tasks. The cron payload also embeds textual instructions that may be stored in scheduler logs or visible to other components.
- Install Mechanism
- okInstruction-only skill with no install steps and no code files — lowest-risk install mechanism. Nothing is downloaded or written by an installer.
- Credentials
- noteThe skill requests no env vars, credentials, or config paths, which is proportionate. However, it encourages persisting session context in workspace files and may prompt inclusion of channel IDs, task descriptions, or notes about config changes (e.g., 'Applying new API key') without explicit guidance to avoid including secret values.
- Persistence & Privilege
- concernThe skill recommends creating a one-shot cron job that survives the restart to trigger recovery. While the cron is temporary, it will persist across the restart and contains payload text instructing the agent to read NOW.md and resume tasks. Combined with automatic resumption, this allows autonomous post-restart actions without explicit user confirmation, increasing blast radius if NOW.md contains sensitive data or if an attacker can tamper with NOW.md or the scheduled job.