Reliability Evidence Pack
v2.0.2Provides tools to record, validate, and report agent operational reliability artifacts using standardized schemas for consistent monitoring and compliance.
⭐ 0· 288·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Reliability Evidence Pack) match the delivered artifacts: JSON schemas, CLI, validation scripts, cron helpers, examples, and CI integration. Requested capabilities (file read/write, process execute, Node runtime) are appropriate for building local artifact capture/validation tooling.
Instruction Scope
SKILL.md instructions stay within the stated purpose (run Node scripts, write to configurable artifacts dir, run local GitHub Action). However examples and quickstart include absolute user workspace paths and sample commands that read/write user files (e.g., /home/.../.openclaw/workspace, USER.md). These are expected for a logging/audit pack but are sensitive: follow the SKILL.md guidance to isolate REP_ARTIFACTS_PATH and add artifact paths to .gitignore. Also SKILL.md claims all scripts operate locally with no telemetry — you should still inspect larger scripts (rep.mjs, rep-validate.mjs, and github-action/entrypoint.sh) before use to confirm no unexpected network calls.
Install Mechanism
There is no automated install spec in the registry (instruction-only), which is lower intrinsic risk. The bundle includes a CLI with a package.json; following the documented 'npm install -g' will pull dependencies from the public npm registry (chalk, commander). That is normal but means you will download external packages at install time; installing and running the scripts will write files to disk. The bundle does not include downloads from arbitrary URLs in the SKILL.md.
Credentials
The skill declares no required credentials and only a small set of optional environment variables for artifact and schema paths and log file location. That is proportional to its function. The SPEC mentions artifact signing fields but key management is operator-defined and the SKILL.md explicitly warns not to store private keys in artifacts.
Persistence & Privilege
Registry-level flags provided earlier indicate the skill can be invoked autonomously (disable-model-invocation: false), while the included _meta.json lists 'autonomous_invocation': false — a minor inconsistency. The skill does not request always:true or system-level privileges. Because the skill can be executed autonomously by agents (platform default), consider whether you want the agent to run validation/heartbeat cron scripts without human review.
Assessment
This package appears to do what it says: local collection, schema validation, and bundle generation for reliability artifacts. Before installing or running it: 1) Inspect the large scripts (scripts/rep.mjs, scripts/rep-validate.mjs, scripts/rep-heartbeat-cron.mjs, and github-action/entrypoint.sh) for any network calls or unexpected execs. 2) Configure REP_ARTIFACTS_PATH to an isolated, access-controlled directory and add it to .gitignore. 3) Never place private signing keys in the artifacts directory — use an external KMS/vault. 4) Prefer running the cron/heartbeat scripts in a container or unprivileged account first, and review the GitHub Action entrypoint before adding to CI. 5) If you do not want autonomous agent invocation, disable model invocation for this skill in your agent settings. If you want, I can scan the full contents of rep.mjs and rep-validate.mjs for network/system calls and highlight any lines of concern.Like a lobster shell, security has layers — review code before you run it.
auditvk97cggb6qcda47rcwtenekhqw5825aw0evidencevk978cy4h807pb19ry4wtwmpp958258w7latestvk97cggb6qcda47rcwtenekhqw5825aw0reliabilityvk97cggb6qcda47rcwtenekhqw5825aw0repvk97cggb6qcda47rcwtenekhqw5825aw0securityvk97cggb6qcda47rcwtenekhqw5825aw0v2vk97cggb6qcda47rcwtenekhqw5825aw0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.