Sage Cpo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Sage CPO looks like a legitimate product-strategy assistant, but it persistently changes workspace agent instruction files and shared product memory, so users should review those side effects before use.
Install or invoke this skill only if you want Sage CPO to persist in the workspace. Before first use, review or back up the agent instruction files it may edit, keep ~/.sage private, avoid storing secrets or sensitive customer data, and do not commit sage-mirror unless you intend to share that company memory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After use, later OpenClaw/Codex/Claude Code sessions in the same workspace may behave as Sage CPO even for tasks where the user did not explicitly request that role.
The bootstrap script creates or updates multiple persistent agent instruction/profile files so future agents in that workspace inherit the Sage CPO role.
OPENCLAW_FILES=("AGENTS.md" "CLAUDE.md" "SOUL.md" "IDENTITY.md" "TOOLS.md" "USER.md" "HEARTBEAT.md") ... 本工作区内运行的 Agent 应直接成为 Sage CPORun this only in workspaces where persistent Sage CPO behavior is desired; review file diffs for AGENTS.md, CLAUDE.md, SOUL.md, IDENTITY.md, TOOLS.md, USER.md, and HEARTBEAT.md, and ask the publisher for a confirmation and rollback option.
Using the skill can create or update files in the current workspace and under ~/.sage.
The skill explicitly tells the agent to run local bash setup scripts during startup. This is disclosed and purpose-aligned, but it performs file-system changes rather than only generating advice.
每次触发本 Skill 时,先查看当前 workspace,再检查 `~/.sage`。... bash /path/to/sage-cpo/scripts/bootstrap_workspace_identity.sh "$PWD" ... test -d "$HOME/.sage" || bash /path/to/sage-cpo/scripts/init_sage.sh
Preview the commands and keep backups or version-control diffs before first use; prefer manual approval before running setup scripts.
Business facts, team details, product feedback, roadmaps, and decisions may persist locally and influence future agent answers.
The skill maintains a persistent shared company and product memory that can be reused across sessions and other Sage skills.
所有 Sage 系列 Skill 共用同一套公司事实层。CPO 可以读取公司基础、团队、服务目录、运营流程和决策记录。CPO 专属扩展写入 `~/.sage/product/`
Do not store credentials, sensitive personal data, or private customer information in ~/.sage; periodically review the memory files and avoid committing any sage-mirror copy to a repository.