Metaskill

Teaches AI agents how to learn better by enforcing deep correction, transfer learning, and proactive pattern recognition. Use when an error occurs and needs...

Key points to consider before installing or running Metaskill: - Metadata mismatch: The registry says no env vars are required, but the code expects API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY) or a local Ollama server. Ask the publisher to correct the metadata or be prepared to set these env vars if you want full LLM functionality. - Data sent to external LLMs: When the scripts run in LLM mode they send error descriptions and excerpts of your LEARNINGS.md to third-party services (Anthropic, OpenAI, Google generative API) or to a local Ollama instance. If those messages may contain sensitive information, prefer using a local Ollama model or run in manual/fallback mode. - File writes and cross-skill access: The skill will create and append files under your OpenClaw workspace, including writing into skills/self-improving-agent/.learnings/ if that directory exists. Back up any important learnings before running; review file paths in the scripts if you want different locations. - Audit and test: Review or run the scripts in a sandboxed test workspace first. If you want to be extra cautious, run with environment variables unset to force offline/manual behavior, or configure providers in config.yaml to use a local Ollama instance. - Trust & provenance: The source/homepage are unknown and the owner is an unfamiliar ID. If you require strong provenance, request publisher information or prefer skills from known sources. What would make this benign: updating the registry metadata to list optional/required env vars, and explicit documentation of data flows (what is sent to LLMs). If you cannot confirm provenance or cannot tolerate sending learning content to remote LLMs, do not enable LLM mode and/or run in an isolated workspace.

Type: OpenClaw Skill Name: metaskill Version: 1.3.0 The skill bundle is classified as suspicious due to multiple shell injection vulnerabilities and prompt injection risks. Specifically, `scripts/deep-correct.sh` and `scripts/success-capture.sh` are vulnerable to shell injection via here-documents, where user-controlled input (`$ERROR_DESC`, `$PRINCIPLE`, `$HABIT`, `$WHAT`, `$WHY`) is directly expanded, allowing arbitrary command execution. `scripts/transfer-check.sh` also has a shell injection risk when processing `$TASK` with `echo` and `grep`. Additionally, `scripts/llm_extract.py` and `scripts/llm_transfer.py` are susceptible to prompt injection against the LLM, as user-provided descriptions are directly embedded into LLM prompts. While these are significant vulnerabilities that could lead to compromise, there is no clear evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or backdoor installation.