Skillv1.0.0

ClawScan security

Workplace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 11:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions largely match a workplace/agent orchestration tool, but there are several behaviours (auto-initializing many repos, writing/modifying project and home config files, spawning persistent processes, and building/running a file-watcher) and a detected 'system-prompt-override' pattern that merit caution before installing.
Guidance: This skill does what it claims (manage per-project workplaces, run multi-agent orchestration, and run a Rust file-watcher), but it makes persistent, wide-reaching changes: it creates/updates .workplace/ folders inside projects, writes to ~/.openclaw/workspace/.workplaces (registry/current/loaded/sessions), may modify project files like CLAUDE.md/.cursor rules/opencode.jsonc, auto-initialize children in parent dirs, and can start background processes. Before installing: (1) Review the scripts (init_workplace.sh, build.sh, etc.) line-by-line and the Rust server code; (2) avoid running init on a high-level parent directory unless you want many repos auto-initialized; (3) backup repositories or run in an isolated environment (container/VM) first; (4) if you will build the server, run build.sh manually and inspect the produced binary before executing; (5) be aware that agent prompts will include file contents (risk of leaking secrets or allowing prompt-injection), so ensure sensitive files are excluded or add .workplace to .gitignore and configure ignorePatterns appropriately; (6) consider running with limited permissions and monitor ~/.openclaw/workspace/ for unexpected changes. If you want, I can point out specific lines in the scripts that modify home or project files and explain them in detail.
Findings: [system-prompt-override] expected: The SKILL.md and agent docs explicitly instruct assembling system prompts from workspace structure and agent .md files (used to spawn subagents). That explains the detection and is expected for a multi-agent orchestrator, but it is a high-risk pattern because ingesting arbitrary repository contents into model prompts can enable prompt injection or accidental inclusion of secrets — review what will be included in prompts.

Review Dimensions

Purpose & Capability: noteThe name/description match what the files implement: registry in ~/.openclaw/workspace/.workplaces, per-project .workplace folders, an agent kernel, Rust file-watcher, and IDE sync. Requiring filesystem access, git detection, and an optional Rust toolchain is coherent with the stated purpose. One notable behavior is automatic initialization of child repositories when run on a parent directory (init_workplace.sh can recurse across children and auto-initialize), which is functionally consistent but potentially intrusive if the user doesn't expect mass changes.
Instruction Scope: concernSKILL.md and the referenced scripts instruct the agent to read and write many files (project files, .workplace/*, ~/.openclaw workspace registry, CLAUDE.md, .cursor rules, opencode.jsonc). The orchestrator builds system prompts by ingesting structure.json and agent .md contents — useful for multi-agent operation but flagged by the static scan as a 'system-prompt-override' pattern. The skill will modify project files and the user's home registry, auto-create sessions, and can start background processes (kernel agent + file-watcher). Those are expected features but broaden the surface for accidental data exposure, accidental repository modification, or prompt-injection effects if untrusted files are included in prompts.
Install Mechanism: noteThere is no install spec — the package is instruction- plus code-file based. Build.sh compiles a local Rust server using cargo (no remote arbitrary download in the scripts shown). Pre-built binaries are mentioned in README but not required by an install spec. Building requires the Rust toolchain; scripts copy compiled binaries into the skill's assets. This is moderate risk: code will be written to disk and services may be started locally, but no suspicious remote download was detected in the provided files.
Credentials: noteThe skill requests no environment variables or external credentials. It does require filesystem access, git, and optionally the Rust toolchain — which matches its functionality. It also references 'supermemory' sync (OpenClaw platform feature) but does not declare or request credentials; that likely relies on platform-managed access. No unrelated credentials are requested.
Persistence & Privilege: concernThe skill spawns persistent components (kernel agent, background Rust file-watcher) that monitor and write to project files and ~/.openclaw/workspace/.workplaces/* and can update process-status.json and sessions. always:false (good), but the skill will create long-lived files/processes and can modify workspace and project files persistently, so the user should be aware of the ongoing footprint and potential cross-workspace effects.