script creator with github companion
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent can create or modify files and Git history inside the configured workspace.
The skill instructs the agent to run local shell and Git commands that create files, directories, repositories, and commits. This is purpose-aligned and confirmation-gated, but it is still local mutation authority.
mkdir <script_name> ... git init ... touch <script_name>.<extension> ... git add . ... git commit -m "Initial commit: <script_name>"
Review the proposed directory, filename, and changes before confirming; use simple script names and ensure the path stays under ~/.nanobot/workspace/test.
Approving dependency installation can change the Python environment and may install packages you did not intend if names are wrong or ambiguous.
The skill may install Python dependencies by package name. That is expected for script creation, but the instructions do not require pinning versions or verifying package provenance.
source ~/.nanobot/workspace/venv/bin/activate pip install <package1> <package2> ... deactivate
Confirm package names carefully, prefer trusted packages, and consider pinned versions for reproducible scripts.
A package installed for one script could change behavior or compatibility for other Python scripts in the same workspace.
The skill uses one shared virtual environment for package management, so dependency additions or conflicts from one script can affect other scripts that reuse that environment.
Python virtual environment: `~/.nanobot/workspace/venv` ... pip install <new_package>
Use the shared venv only if that is acceptable; for stronger isolation, create per-script virtual environments or document/pin dependencies.