Openclaw Godmode Skill Repo
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cc-godmode Version: 5.11.3 The skill is classified as suspicious due to its extensive use of high-risk capabilities, including broad `Bash` execution, file system modification (`Read`, `Write`, `Edit`, `mkdir`), and network access (`WebSearch`, `WebFetch`, `GitHub MCP`, `Playwright MCP`). While these capabilities are explicitly declared in `SKILL.md` and `clawdis.yaml` and are plausibly necessary for an 'autonomous multi-agent development workflow,' they inherently present a significant attack surface. The `SKILL.md` and other documentation files also serve as a prompt injection surface for the AI agent, even though the current instructions do not contain explicit malicious commands. The transparency about runtime requirements and the explicit instruction 'NEVER git push without permission' mitigate against a 'malicious' classification, but the inherent power granted to the agent warrants a 'suspicious' label.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could ask for release preparation and have the agent publish repository changes or trigger CI/CD before they expected a final review step.
Publishing releases, creating tags, and triggering CI/CD are high-impact GitHub/repository actions. The workflow makes them part of the normal release path, but the artifacts do not clearly require a separate user confirmation for these mutations.
**Trigger:** `Prepare Release` ... **@github-manager** - Publish - Create git tag - Create GitHub release - Trigger CI/CD
Add explicit approval gates for GitHub release creation, tag creation, PR merge, issue close, CI/CD triggers, and any remote repository mutation; scope operations to the current repository and branch.
During use, the agent may run tests, build commands, shell commands, or tooling that can modify the local project environment.
The package itself does not execute code at install time, but it explicitly instructs runtime agents to execute commands and use network access.
security: install_time_executes_code: false runtime_agent_executes_code: true runtime_agent_network_access: true
Use it in repositories you trust, review planned commands before execution, and run with least-privileged local and GitHub accounts.
If broad credentials are available, the agent may be able to act on GitHub or MCP-connected services beyond the immediate task.
GitHub, Claude, and MCP credentials are expected for the documented integrations, but they grant delegated authority to the agent at runtime.
runtime_credentials:
optional:
- GH_TOKEN (for GitHub operations)
- Claude/Anthropic auth (if using Claude Code workflows)
- MCP server auth/config (if applicable)Use least-privilege GitHub tokens, restrict MCP server access, and avoid running the workflow with credentials that can affect unrelated repositories or organizations.
Stored decisions or research notes could influence later work, and incorrect or sensitive entries may be reused if memory is enabled.
The researcher agent is documented as using memory to store and reuse context across tasks, which is purpose-aligned but can persist or bias future decisions.
### Memory Usage - Store: Key decisions, no-go technologies, verified sources - Query: Before new research, check existing findings
Do not store secrets in agent memory, periodically review or clear memory entries, and treat remembered research as advisory rather than authoritative.