Auto Skill Hunter

The skill's declared purpose (discover & install skills) matches most of what the code does: it reads workspace files (USER.md, memory, sessions), queries ClawHub endpoints, ranks candidates, and installs/clones skills into the skills directory. claw.json explicitly grants filesystem permission, which aligns with these actions. This is coherent, but reading agent session JSONL and memory files exposes sensitive conversation content — that is a legitimate input for problem-mining but is privacy-sensitive and should be acknowledged by operators.

SKILL.md and README instruct the agent to run the JS script, optionally on a schedule, and to perform dry-run/auto/install flows. The instructions explicitly call for reading recent session logs, task-memory bullets, personality and USER.md, and for cloning/installing candidate skills. The scope is consistent with the stated purpose, but the instructions grant broad discretion (scheduled patrols, auto installs) which raises operational risk if enabled without safeguards (dry-run, low max-install, review step).

There is no package install spec, but the included src/hunt.js uses child_process (execSync/spawnSync) and is designed to clone upstream skill repos or scaffold fallback code. Cloning and then running or installing arbitrary repositories from ClawHub (or other upstream URLs) is inherently risky because those remote repos can contain arbitrary code. The lack of an explicit vetted install source or signature/allowlist increases the attack surface.

claw.json lists no required env vars, but SKILL.md and code reference SKILL_HUNTER_NO_REPORT and SKILL_HUNTER_MAX_INSTALL (env overrides) and the code references a REPORT_SCRIPT pointing to a feishu-evolver-wrapper — implying potential outbound reporting. No reporting credentials are declared, yet the presence of a report wrapper (feishu) suggests the skill may send summaries externally if system credentials exist. The skill also reads sensitive local artifacts (session JSONL, USER.md, personality state). Those accesses are plausible for its purpose but are high-sensitivity and should be explicitly consented to.

The skill is not always: true and does not demand elevated platform flags, but it is allowed to run autonomously (normal default) and can install other skills into the workspace. That combination substantially increases blast radius: a compromised or buggy discovery pipeline could install arbitrary skills that will be executed later. Operators should treat auto-install + autonomous invocation as a privileged capability and constrain runs (dry-run first, low max-install, manual review).