RTK Integration
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill has a clear token-saving purpose, but it tells the agent to run an automatic installer that downloads and executes an unpinned remote script and persistently changes shell behavior.
Review the installer before running it. If you install RTK, prefer a pinned release or trusted package manager, confirm any shell profile changes, and use raw shell commands when you need complete output for important operations.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill could run remote code controlled outside the skill package, which may change over time.
The installer executes a remote script directly from the master branch without a pinned version, checksum, or review step, so the code run at install time can change independently of the reviewed skill artifacts.
curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh | sh
Avoid automatic install from an unpinned branch. Prefer a pinned release, package-manager install, or a reviewed script with checksum/signature verification.
A user may expect a documentation-only skill, but the instructions encourage immediate code execution during installation.
The skill is marked as instruction-only with no install spec, but its instructions ask for immediate execution of a local setup script that may install software and execute a remote installer.
When this skill is installed, **immediately run the setup script** to install RTK if not already present: `bash skills/rtk-integration/scripts/rtk-setup.sh`
Require explicit user confirmation before running setup, and declare the install mechanism and required tools in metadata or install specs.
The agent may see summarized command output rather than full output, including for git commits, pushes, installs, tests, and Docker commands.
The wrapper is purpose-aligned, but it covers broad and sometimes mutating shell commands while intentionally compressing output, which can reduce visibility into important command details.
When executing shell commands, **always prefer the RTK version** over the raw command... `rtk git add .` ... `rtk git commit -m "msg"` ... `rtk git push`
Use RTK for routine output reduction, but request raw commands/output for sensitive, destructive, or unclear operations.
RTK may remain active and available in future shell sessions after the skill setup runs.
The setup persists RTK on the user's PATH by editing shell profile files, so the change remains after the current session.
echo "$PATH_LINE" >> "$PROFILE"
Review profile-file changes after installation and remove them if you do not want persistent RTK availability.