Catl Harness Pr
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: catl-harness-pr Version: 0.3.1 The skill bundle is designed to automate Pull Request submissions to the 'BlueFocusContentUniverse/catl_harness_repo' GitHub repository. It includes comprehensive instructions for the AI agent to manage Git workflows, including environment checks, forking, and PR creation. Notably, the documentation (SKILL.md and auth-setup.md) contains explicit security guidelines for the agent, such as preventing token leakage in logs and refusing to share credentials between agents. While the shell scripts (preflight.sh and setup-fork.sh) utilize 'eval' for command execution—a potential shell injection vulnerability—there is no evidence of malicious intent, data exfiltration, or unauthorized access. The logic is consistent with standard DevOps practices for version-controlled knowledge management.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A GitHub token could be exposed to the agent transcript or logs and then used to access or modify repositories.
A literal grep can print GitHub token values from the .env file into terminal output, logs, or agent context, even though the surrounding guidance says not to echo tokens.
先查是否已存了 GitHub 凭证(`grep GITHUB_ ~/.openclaw/.env`);但**不要自己往 .env 里写新 token**
Change this to a presence-only or redacted check, such as `grep -q '^GITHUB_' ~/.openclaw/.env` or a command that prints only variable names, not values.
If that PAT is leaked or misused, it could affect many repositories, not just the CATL Harness fork.
For a single CATL Harness fork/PR workflow, recommending a token with read/write access to all repositories is broader than necessary.
Repository access:选 `All repositories` 最省事... Permissions: `Contents: Read and write` ... `Pull requests: Read and write`
Use the least-privileged option: create the fork first, then issue a fine-grained PAT limited to that fork where possible, and avoid broad classic `repo` or all-repository write scopes.
A misconfigured or unexpected remote could receive private repository contents during sync.
When an existing local repo has an unknown `origin`, the script only warns and later may push `main` to that same origin instead of stopping for confirmation.
warn "origin 指向未知 URL: $current_origin" ... warn "如果这是预期,跳过;否则手动修复。" ... run "git push origin main"
Stop on unknown remotes unless the user explicitly approves, and validate expected HTTPS and SSH fork URL forms before any push.
If those values contain shell metacharacters, the script could execute unintended local commands.
The helper uses `eval` with command strings containing environment- or argument-derived values such as repo paths and GitHub usernames.
run() { ... eval "$@" ... } ... run "git clone $FORK_URL $REPO_DIR"Remove `eval`, use shell arrays with properly quoted arguments, and validate environment-provided paths/usernames before running Git commands.