Catl Harness Pr
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with submitting GitHub PRs, but its credential-handling and Git remote scripts create review-worthy risk.
Before installing or running this skill, review the scripts, run dry-run mode first, verify that `origin` points to your intended fork, do not run unredacted grep commands on credential files, and use a least-privileged GitHub authentication method rather than an all-repositories write token.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A GitHub token could be exposed to the agent transcript or logs and then used to access or modify repositories.
A literal grep can print GitHub token values from the .env file into terminal output, logs, or agent context, even though the surrounding guidance says not to echo tokens.
先查是否已存了 GitHub 凭证(`grep GITHUB_ ~/.openclaw/.env`);但**不要自己往 .env 里写新 token**
Change this to a presence-only or redacted check, such as `grep -q '^GITHUB_' ~/.openclaw/.env` or a command that prints only variable names, not values.
If that PAT is leaked or misused, it could affect many repositories, not just the CATL Harness fork.
For a single CATL Harness fork/PR workflow, recommending a token with read/write access to all repositories is broader than necessary.
Repository access:选 `All repositories` 最省事... Permissions: `Contents: Read and write` ... `Pull requests: Read and write`
Use the least-privileged option: create the fork first, then issue a fine-grained PAT limited to that fork where possible, and avoid broad classic `repo` or all-repository write scopes.
A misconfigured or unexpected remote could receive private repository contents during sync.
When an existing local repo has an unknown `origin`, the script only warns and later may push `main` to that same origin instead of stopping for confirmation.
warn "origin 指向未知 URL: $current_origin" ... warn "如果这是预期,跳过;否则手动修复。" ... run "git push origin main"
Stop on unknown remotes unless the user explicitly approves, and validate expected HTTPS and SSH fork URL forms before any push.
If those values contain shell metacharacters, the script could execute unintended local commands.
The helper uses `eval` with command strings containing environment- or argument-derived values such as repo paths and GitHub usernames.
run() { ... eval "$@" ... } ... run "git clone $FORK_URL $REPO_DIR"Remove `eval`, use shell arrays with properly quoted arguments, and validate environment-provided paths/usernames before running Git commands.