Skillv0.4.0

ClawScan security

Multi Workplace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 6:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (managing per-project workplaces and running per-workplace agents) but it reads and uses user-editable Markdown files as system prompts, writes/overwrites project and home files, and runs a background watcher — these behaviors are coherent with the feature but create prompt-injection and file-modification risks you should understand before installing.
Guidance: This skill appears to do what it says, but it operates on and modifies local files and uses user-editable Markdown to build system prompts for spawned agents — a real prompt-injection and file-modification risk. Before installing or running it: 1) review the included scripts (init_workplace.sh, build.sh) and the Rust server source to confirm they do what you expect; 2) back up CLAUDE.md, opencode.jsonc, and any important project files in case the skill overwrites them; 3) inspect any .workplace/agents/*.md files (or any workplace skills pulled from git) before allowing them to run, since their contents become system prompts for subagents; 4) prefer building and running the Rust server yourself rather than running an untrusted prebuilt binary; 5) only install from a trusted source and consider limiting write access (or running in a sandbox) if you must evaluate it in an untrusted environment. If you want, I can point out the exact lines in the scripts and SKILL.md that perform file writes and compose system prompts so you can review them more easily.
Findings: [system-prompt-override] expected: SKILL.md and references explicitly build system prompts from .workplace/agents/*.md and project files; the regex scanner flagged possible 'system-prompt-override' patterns. This is expected (the feature relies on composing prompts from user-editable files) but is also the primary risk vector: malicious or untrusted agent/markdown content can inject instructions into spawned agents.

Review Dimensions

Purpose & Capability: okName/description align with the files and scripts: the skill scans repos, creates per-project .workplace/ directories, runs a Rust file-watcher, spawns agents, and syncs IDE context. The requested artifacts (registry in ~/.openclaw/workspace, per-project .workplace/) are consistent with the advertised functionality.
Instruction Scope: concernThe SKILL.md instructs the agent to read many local files (README.md and other *.md, structure.json, config.json), to use agent .md files as the basis for system prompts, to write/modify project-root files (CLAUDE.md, opencode.jsonc, .cursor rules), and to update ~/.openclaw/workspace/registry.json and current.json. Using user-editable agent definitions and arbitrary project files to build system prompts is a prompt-injection risk; writing IDE/config files can clobber user content if not carefully handled.
Install Mechanism: noteNo install spec (instruction-only), lowering install risk. The package includes build scripts and Rust source for a local file-watcher server; building runs locally and copies the binary into assets/bin. There are no network downloads or opaque external installers in the package. Pre-built binaries are mentioned but not bundled in the listed manifest — build-from-source is provided.
Credentials: noteThe skill asks for no environment variables or external credentials. It does, however, read/write the user's home (~/.openclaw/workspace/) and project directories and expects access to git, jq, and optionally Rust toolchain. It also writes to 'supermemory' via containerTag (platform memory) — appropriate for multi-workplace memory but worth noting as it stores project summaries in platform memory.
Persistence & Privilege: notealways:false (good). The skill spawns persistent components (kernel agent, background Rust watcher) by design and updates process-status.json and registry files. This is coherent with its purpose but increases the blast radius because these background processes read and act on local files continuously.