ClawHub

runbook-generator

v1.0.0

Generate operational runbooks from project files. Scans Dockerfiles, docker-compose.yml, systemd units, Makefiles, package.json, and config files to produce...

0· 49·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, STATUS.md, and the included Python scanner are consistent: the tool scans Dockerfiles, docker-compose.yml, systemd units, Makefiles, package.json, .env, nginx.conf and generates runbooks. No unrelated binaries or credentials are requested.
Instruction Scope
The runtime instructions explicitly ask the agent/user to point the script at a project directory; the script reads many infrastructure files (including .env and systemd units). The script masks .env values in its extraction logic, but it still reads those files into memory. Avoid pointing the tool at directories containing production secrets or root/system config unless you trust the code and environment.
Install Mechanism
There is no install spec (instruction-only skill with a bundled Python script). That is low risk; nothing is downloaded or written to system locations by an installer.
Credentials
No environment variables, credentials, or config paths are declared or required. The script does scan .env files in project directories (which is expected for its purpose) and attempts to mask values in .env parsing.
Persistence & Privilege
always is false, the skill is user-invocable and can be autonomously invoked by the agent (default). It does not request permanent presence or modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: it scans project infrastructure files and produces runbooks using only Python stdlib. Before running or giving an agent access to it: 1) Review scripts/generate_runbook.py locally to confirm behavior (no network calls or subprocesses were seen in the visible code). 2) Run it on a copy of your repo or in an isolated environment, especially if the project contains production secrets — the script reads .env and systemd unit files (it attempts to mask .env values but still reads them). 3) If you plan to allow autonomous agent invocation, consider restricting which directories the agent can point it to and avoid exposing host-level/system directories. 4) If you need stronger guarantees, ask the owner for source provenance or audit the rest of the file (the provided file was truncated in the review text); absence of detected network calls in the shown code is reassuring, but verify the full file before trusting it with sensitive projects.

Like a lobster shell, security has layers — review code before you run it.

latestvk9717nvmwaxemw65zyn0530jk184mz0g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments