Back to skill
Skillv1.0.1
ClawScan security
zxyskill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 26, 2026, 12:54 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (recording preferences and mistakes) generally matches its instructions, but it asks the agent to read arbitrary file paths/URLs and to persist files that can include 'SYSTEM_PROMPT' templates and agent/persona files — behavior that can enable persistent prompt injection or expose local secrets and thus warrants caution.
- Guidance
- This skill is coherent with being a 'memory' helper, but it asks the agent to read arbitrary file paths/URLs and to write persistent workspace files — including a SYSTEM_PROMPT template and persona files. Before installing or enabling it: (1) inspect the SKILL.md and README contents (you've done this), (2) do not give file paths or URLs that point to sensitive local files (e.g., ~/.ssh/, /etc/, cloud credential files), (3) avoid copying SYSTEM_PROMPT.md, AGENTS.md, SOUL.md, or USER.md into your agent workspace unless you trust their contents, (4) run the skill in a restricted/sandboxed environment first and test with non-sensitive data, and (5) consider adding filesystem access controls (or a policy) so the skill can only write/read a dedicated memory directory. If you cannot audit or sandbox these behaviors, treat the skill as risky.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (memory, lessons learned, prohibited words) aligns with instructions to persist preferences and mistakes to workspace files. However, the README also instructs copying agent/system/persona files (AGENTS.md, SOUL.md, SYSTEM_PROMPT.md, USER.md) into the workspace — copying/modifying these is not strictly necessary for simple preference/mistake recording and increases risk of changing agent behavior.
- Instruction Scope
- concernRuntime instructions tell the agent to '先读取内容' for any user-supplied file path and to fetch content for any user-supplied URL, and to automatically write persistent data into memory/ and MEMORY.md. The skill also references memory/lessons/SYSTEM_PROMPT.md (an 'injection template') and recommends copying persona/system files into the workspace. Reading arbitrary local files and creating/updating system prompt templates are high-scope actions that can expose secrets or enable persistent prompt injection.
- Install Mechanism
- okThis is an instruction-only skill with no install spec, no downloads, no added binaries — lower technical installation risk. The README suggests manual copying of files into ~/.openclaw/workspace/, which is a user action rather than an automated installer.
- Credentials
- okThe skill requests no environment variables, no credentials, and no required binaries. That is proportionate to its stated memory/recording purpose. The main risk arises from file access rather than secrets requested via env vars.
- Persistence & Privilege
- concernThe skill expects to write persistent files under workspace (MEMORY.md, memory/lessons/*). More concerning: it explicitly lists SYSTEM_PROMPT.md and suggests copying AGENTS.md/SOUL.md/USER.md into workspace. Persisting or modifying system/prompt/persona files can permanently alter agent behavior (persistent prompt injection) and constitutes a privileged change to the agent environment, despite always:false.