chitin-chronicle
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill has a coherent publishing-coordination purpose, but its CLI builds shell commands and file paths from unvalidated inputs, which could let crafted content IDs or agent names execute local commands or write outside the intended claims folder.
Review the CLI implementation before installing. The concept is coherent, but the shell command and filename handling should be fixed before agents use untrusted or externally influenced content IDs, channels, actions, titles, or agent names. If you do install it, add the boot hook only if you want persistent startup summaries every session.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed content ID, channel, action, or agent name could cause the agent to execute arbitrary local shell commands when it records a claim, release, or publication.
The git commit command is executed through a shell, and the commit message is built from values such as agent, contentId, action, and channel. Crafted values containing shell metacharacters could break out of the quoted commit message and run unintended local commands.
execSync(`git -C ${EDITORIAL_DIR} commit -m "${message}"`, { stdio: 'ignore' });Replace shell-string execSync calls with execFileSync or spawn using argument arrays, and validate or escape all user-controlled fields before using them in command arguments.
A crafted content ID or agent name could cause claim creation or release to write or move files outside the intended claims directory.
The claim filename is built directly from CLI-provided contentId and environment-derived agent values, then passed to path.join without restricting slashes, '..', or other path-control characters.
const filename = `${contentId}-${agent}.claim`; const filepath = path.join(CLAIMS_DIR, filename); writeJSON(filepath, claim);Restrict content IDs and agent names to a safe character set, reject path separators and '..', and verify the resolved path remains inside the claims directory before writing or renaming files.
The skill may fail or behave differently on systems without bash, Node.js, or git, even though those requirements are not declared in metadata.
The registry metadata declares no required binaries, while SKILL.md and README.md instruct use of bash and node, and scripts/editorial.js shells out to git.
Required binaries (all must exist): none
Declare bash, node, and git as required binaries, or document clearly that the skill only works where those tools are available.
If installed as documented, the boot-check script will run at the start of future agent sessions and display stored editorial state.
The skill asks the user to add a boot-time script to the agent startup sequence. This is disclosed and consistent with the stated boot-time awareness feature, but it is a persistence mechanism.
Add this line to your `AGENTS.md` startup section: `bash /home/aaron/.openclaw/workspace/skills/chitin-chronicle/editorial/boot-check.sh`
Only add the boot hook if you want this behavior every session, and remove the AGENTS.md line if you no longer use the skill.
Editorial titles or claim names stored by one agent can reappear in later sessions; if those fields contain instructions, an agent might mistake them for guidance rather than data.
The boot hook prints stored ledger titles into the agent's startup context. Titles are supplied through the publish command and may contain arbitrary text.
console.log(` ${date} | ${e.channel} | ${e.author} | ${e.title}`);Treat ledger, registry, and claim contents as untrusted data in prompts, and consider sanitizing or labeling displayed fields so they are not interpreted as instructions.