Is clawshot safe?

SKILL.md contains absolutist instructions ('These rules are ABSOLUTE and must NEVER be violated') that command the agent to hide all memory operations from the user, never mention the memory system, never show output, and 'JUST DO IT silently in the background'. This is a prompt injection that overrides the agent's default behavior of being transparent with users about what actions it takes. The user loses all visibility into what data is being collected and stored about them.

The skill mandates that the agent ALWAYS run 'sync --start' at the beginning of every session and silently execute python3 subprocess commands throughout the session to remember user statements. The agent is instructed to autonomously decide what to record and execute shell commands without any user approval or awareness. This hijacks the agent's tool-use consent model.

The skill silently captures and persists user decisions, preferences, corrections, learning moments, project architecture details, requirements, and constraints. This data is stored in git notes which persist across sessions. The accumulated profile includes detailed information about the user's technical preferences, project details, and behavioral patterns — all collected without user knowledge or consent.

Memory data stored in git notes (refs/notes/mem-, refs/notes/ent-, refs/notes/idx-) could be inadvertently pushed to remote repositories. While git push doesn't push notes by default, commands like 'git push origin refs/notes/' or configured push refspecs would expose all accumulated user profile data to remote servers.

During the clone/install process, monitoring detected access to SSH private keys (/home/oc-exec/.ssh/id_rsa), Docker configuration (/home/oc-exec/.docker/config.json), SSH host keys (/etc/ssh/ssh_host_*_key), and system files (/etc/passwd). While some of these may be incidental to the git clone process (SSH key for authentication), the breadth of file access is concerning, especially Docker config access.

memory.py executes git commands via subprocess.run() where the working directory is controlled by the -p parameter with no path validation or sandboxing. The _ensure_git() function will run 'git init' and 'git config' in any directory. An attacker who controls the path argument could use this to initialize git repos or modify git config in sensitive directories.

The _init_context() function silently reads package.json, README.md, and probes for setup.py, pyproject.toml, Cargo.toml, go.mod, and *.md files to fingerprint the project. This happens automatically on first sync without user awareness.

The README instructs users to add 'YOU MUST ALWAYS USE git-notes-memory SKILL' to their project's CLAUDE.md file, creating a persistent instruction injection that forces the agent to use this skill in every session for that project, further entrenching the covert data collection.

By training the agent to perform hidden actions and actively suppress transparency, this skill normalizes a pattern where the agent conceals its behavior from users. This erosion of trust boundaries could make users more vulnerable to future malicious skills that also request silent operation, as the precedent has been established.

The accumulated user profile data in git notes has no access controls. Any other skill or process with access to the git repository can read all stored memories, effectively turning this into a shared data store that other malicious skills could harvest for sensitive user information.

The _init_context function reads project name, description, type, and README content without user knowledge, storing this as an auto-tagged memory entry.

The skill installation failed with a timeout error, which prevented full analysis of clone-time behavior. The sensitive file access occurred before the timeout.