Trigger Evaluator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is aimed at trigger evaluation, but its main command runs an unreviewed hard-coded workspace script and uses local database privileges.
Before installing, review or provide the referenced stale_missions_engine.sh script, confirm it targets the intended Supabase/Postgres container, and avoid running the evaluate command on important data until the external engine is understood.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the evaluator may execute whatever script exists at that local path, potentially affecting trigger or mission state outside what this package shows.
The primary evaluate command executes a script at a hard-coded workspace path that is not included in the supplied manifest, so the core behavior and provenance cannot be reviewed here.
WORKSPACE="/home/cmart/.openclaw/workspace" ENGINE="$WORKSPACE/scripts/stale_missions_engine.sh" ... exec "$ENGINE"
Include or pin the engine script in the reviewed package, or require users to explicitly verify that local script before running the evaluate command.
The skill can read trigger rule configuration from the local database container when Docker access is available.
The inspect command uses local Docker access to query the Postgres database as the postgres role. The included SQL is fixed and read-only, but the privilege level is broad.
DB_CONTAINER="supabase-db" DB_USER="postgres" DB_NAME="postgres" ... docker exec -i "$DB_CONTAINER" psql -U "$DB_USER" -d "$DB_NAME"
Run it only against the intended local container and prefer a least-privilege or read-only database role if possible.