Reliability Evidence Pack
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review before installing: the pack is mostly a local reliability-logging tool, but its advertised CLI can falsely report validation/report success without doing the work.
Install only if you need local reliability-evidence artifacts. Prefer the direct validation scripts over the packaged `rep` CLI unless the CLI is fixed, keep artifact directories private and out of source control, and enable cron only when you want continuous background recording.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or CI workflow could believe reliability evidence was validated when this CLI path did not actually validate anything.
The `rep validate` command prints that validation passed without reading artifacts, schemas, or a config file. Since the skill is marketed for validation and compliance reporting, this can create false assurance.
console.log(chalk.blue('Validating REP configuration...')); ... console.log(chalk.bold.green('\n✓ Validation passed!'));Do not rely on the packaged `rep` CLI until it calls the real validator and exits nonzero on failures; use reviewed direct scripts such as `scripts/rep-validate.mjs` instead.
Running the tool executes local JavaScript with the user account's permissions.
The tool can spawn a local Node process. This is purpose-aligned for invoking a validator, but it is still local command execution.
const child = spawn('node', validateArgs, { stdio: 'pipe' });Run it from a trusted copy of the bundle, avoid elevated privileges, and review command arguments before using it in automation.
If enabled, the heartbeat job will keep running and writing logs/artifacts until the user removes the cron entry.
The skill documents optional scheduled heartbeat recording. It says the operator must configure cron, so this is disclosed persistence rather than hidden background behavior.
# Add to crontab - run heartbeat every 5 minutes */5 * * * * cd /path/to/rep && REP_ARTIFACTS_PATH=./artifacts node scripts/rep-heartbeat-cron.mjs >> /var/log/rep-heartbeat.log 2>&1
Only add the cron job if ongoing monitoring is desired, and document how to disable or remove it.
Sensitive context, decisions, or memory-like information could remain in local artifact files and later be shared or committed accidentally.
The skill intentionally records persistent context and decision artifacts. This is disclosed and purpose-aligned, but those records may contain private operational or user data.
REP captures context snapshots, decision logs, and memory-like artifacts that may contain sensitive information.
Use an access-controlled artifact directory, add it to `.gitignore`, redact before sharing, and avoid storing secrets in REP artifacts.