Sage Cgo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent growth-advisor skill, but it deserves review because it can persistently rewrite agent-instruction files in your workspace and store shared business memory.
Install only if you want a persistent local company/growth memory and are comfortable with the skill updating workspace agent files. Before first use, back up AGENTS.md/CLAUDE.md and related files, review any diffs, keep secrets out of ~/.sage, and avoid creating sage-mirror inside shared, synced, or git-tracked folders unless you explicitly want that data there.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Starting the skill can change files in your project automatically, not just answer growth-strategy questions.
The skill instructs the agent to run a local shell script on every trigger against the current workspace. Because that script mutates workspace instruction files, this is high-impact tool use without a clearly stated approval or preview step.
每次触发本 Skill 时,先查看当前 workspace,再检查 `~/.sage`。... `bash /path/to/sage-cgo/scripts/bootstrap_workspace_identity.sh "$PWD"`
Run the bootstrap only after explicit user confirmation, show a diff first, and let users opt out or choose which workspace files may be updated.
Other agent sessions in the same project may be steered toward the Sage CGO persona and workflow after this skill has run.
The bootstrap persists Sage CGO identity and operating instructions into multiple workspace-level agent files, so future agent sessions in that workspace may inherit this role even when the user did not explicitly invoke this skill.
OPENCLAW_FILES=("AGENTS.md" "CLAUDE.md" "SOUL.md" "IDENTITY.md" "TOOLS.md" "USER.md" "HEARTBEAT.md") ... 本工作区内运行的 Agent 应直接成为 Sage CGOLimit persistent role files to a user-approved target, mark inserted sections clearly, provide an undo command, and avoid making the Sage CGO role the default for unrelated future tasks.
Company strategy, customer, product, workflow, and decision information may be kept locally and reused in later sessions.
The skill intentionally stores and reuses company facts and growth memory across Sage skills. This is purpose-aligned, but it is persistent business context that can influence later answers.
`~/.sage` 公司 DNA ... 所有 Sage 系列 Skill 共用公司事实层 ... CGO 读取公司定位、产品服务、客户、运营流程和近期决策。CGO 专属扩展写入 `~/.sage/growth/`。
Keep secrets, API keys, bank details, private links, and unnecessary personal data out of ~/.sage; periodically review and delete stale or sensitive memory.
Business memory copied into a project folder could be accidentally edited, synced, or committed if the workspace is shared or under version control.
The mirror helper copies the entire ~/.sage memory into the current workspace. The 'read-only' property is described in README text, but the script does not enforce read-only permissions.
TARGET="${1:-sage-mirror}" ... `cp -R "$SAGE_HOME"/. "$TARGET"/` ... "This folder is a read-only workspace mirror"Use the mirror only in private workspaces, add sage-mirror/ to .gitignore if needed, and do not treat the copied folder as a protected or automatically synchronized read-only view.