Idea Storm
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s experiment-automation purpose is coherent, but it runs background coding agents with broad command access, reads local model credentials, and launches an unpinned Docker image.
Install only if you trust the author and can review or rebuild the Docker image. Use a dedicated workspace, scoped Notion/database access, and a limited model API key. Avoid sensitive projects until prompt handling is fixed, the Docker image is pinned or supplied, and high-impact commands/API writes require explicit approval.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may change files, run commands, call APIs, and update Notion while a background experiment is running.
The skill instructs the agent to use broad code-writing, shell execution, raw Notion API calls, and background spawned sessions. These are aligned with the experiment-lab purpose, but they are high-impact capabilities without clearly bounded per-action approvals.
| 实现 | Claude Code(首选), `exec`, `write`, `edit` | | Notion | Notion API via `exec` | | 后台运行 | `sessions_spawn` |
Use this only in a dedicated workspace, require explicit approval for shell commands and external API writes, and define clear limits for files, runtime, network access, and iterations.
A containerized process receives access to the user's model-provider credential, which could allow API usage or exposure if the container or commands are not trusted.
The script reads a local OpenClaw model-provider API key from the user's configuration and injects it into the Docker container, despite the skill metadata declaring no primary credential or required config path.
OC_CONFIG="${OPENCLAW_CONFIG:-/root/.openclaw/openclaw.json}"
API_KEY=$(python3 -c "import json; print(json.load(open('$OC_CONFIG'))['models']['providers']['cc']['apiKey'])")
...
-e ANTHROPIC_AUTH_TOKEN="$API_KEY"Declare this credential requirement clearly, use a dedicated low-privilege token, avoid passing host credentials into unreviewed containers, and allow the user to opt in before credential use.
Users cannot verify what code runs inside the sandbox before it receives experiment files and credentials.
The runtime depends on an image named idea-lab-sandbox, but the provided artifacts include no Dockerfile, pinned image digest, or install specification. That matters because the image receives a mounted workspace and an API token.
docker run --rm -t \ -e ANTHROPIC_AUTH_TOKEN="$API_KEY" \ -v "$EXP_DIR":/workspace \ idea-lab-sandbox
Provide a reviewed Dockerfile or pinned image digest, document the build source, and avoid injecting credentials into containers whose provenance is not clear.
A crafted prompt or prompt file could cause commands to run inside the container with access to the mounted experiment directory and injected API token.
Prompt text from a file or command arguments is interpolated into a bash -c string. Special shell syntax in the prompt could be interpreted by the container shell, and Claude Code is launched with --dangerously-skip-permissions.
PROMPT="$(cat "$PROMPT_FILE")" ... bash -c "cd /workspace && git init -q 2>/dev/null; claude --print --dangerously-skip-permissions \"$PROMPT\""
Pass prompts through stdin, a safely mounted file, or properly escaped argv instead of bash -c interpolation, and avoid --dangerously-skip-permissions unless the user has explicitly approved the sandbox and command scope.
Experiment ideas, code decisions, validation results, and user feedback may be retained locally and in Notion.
The skill intentionally persists experiment state in local files and Notion so child agents can resume work. This is purpose-aligned, but stored context can include sensitive project details or later influence future agent actions.
三层存储,确保状态不丢失: ... SESSION-STATE.md ... experiment.yaml ... Notion 长期记录
Do not use this with sensitive projects unless the workspace and Notion database are appropriately protected, and periodically review or delete stored experiment state.
Subagents may keep running experiment phases while the user continues chatting, producing files and Notion updates in the background.
The skill openly uses background spawned subagents. The design includes checkpoints, so this is not hidden, but users should understand that work may continue outside the main conversation flow.
工程问题的自动化 设计→验证→迭代 闭环。后台运行,不阻塞主会话。
...
spawn("idea-storm: 实现+验证")Monitor spawned sessions, define maximum iteration/runtime limits, and ensure there is a clear way to stop or pause an experiment.