Reaction Processor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it says—record local OpenClaw workflow events—but it writes persistent database state and should only be used when those log entries are intended.
This skill is reasonable for its stated OpenClaw logging workflow. Before installing or invoking it, confirm you are in the intended local Supabase/Postgres environment, that writing event/reaction rows and trigger fire metadata is desired, and that mission titles do not contain sensitive information you do not want persisted in workflow logs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can create workflow history and update trigger fire counts/last-fired time, which may affect how the closed-loop workflow is interpreted later.
The skill runs a local shell command that directly mutates database event, reaction, and trigger metadata tables. This matches the stated purpose, but it is still a high-impact action if invoked at the wrong time.
docker exec -i "$DB_CONTAINER" psql -U "$DB_USER" -d "$DB_NAME" <<SQL ... INSERT INTO public.openclaw_agent_events ... UPDATE public.openclaw_trigger_rules
Use it only after confirming the duplicate-skipped or proposal-created outcome actually occurred, and keep normal database rollback or audit procedures available.
If the script is run in the wrong environment, it may write to the wrong local database or do so with more privilege than a logging task needs.
The script connects to the local database container as the postgres user. The included SQL is narrowly scoped, but the database role itself is broadly privileged.
DB_CONTAINER="supabase-db" DB_USER="postgres" DB_NAME="postgres"
Prefer a least-privileged database role limited to the required OpenClaw tables, or run only in a controlled development/workflow environment.
Sensitive information in mission titles could be preserved in OpenClaw event/reaction records.
The script copies mission titles into persistent event and reaction metadata. That is expected for logging, but those titles may later be reused as workflow context.
COALESCE(string_agg(title, ' | ' ORDER BY created_at), '') ... jsonb_build_object('trigger_name', v_trigger.name, 'stale_count', v_stale_count, 'titles', v_titles)Avoid putting secrets or private details in mission titles, or adjust the script to redact titles before logging.
The skill may fail or behave unexpectedly unless the expected local container environment already exists.
The registry metadata does not declare runtime dependencies, while the provided script requires Docker access to a local Supabase/Postgres container. This is an operational disclosure gap rather than evidence of malicious behavior.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Document Docker/container prerequisites and the intended database environment before using the skill.