Skillv0.1.1

ClawScan security

Monitored Ralph Loop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (implements an event-driven Ralph loop), but its runtime instructions and script perform actions that are broader than declared (calls external CLIs, writes and packages log tails, suggests system-level changes and permissive flags) and could leak sensitive data or grant excessive privileges if used without caution.
Guidance: This skill implements an event-driven Ralph loop, but it performs actions you should review before running. Key points to check before installing/using: - Audit scripts/ralph.sh: it writes .ralph/pending-notification.txt containing project path and a base64-encoded tail of ralph.log and then attempts to schedule delivery via the openclaw CLI — that can leak secrets from logs or your repo. Consider removing or redacting log export before allowing notifications. - The metadata doesn't declare required CLIs (codex, claude, opencode, goose, openclaw, git). Expect the script to fail or to attempt actions with whatever local CLI config/credentials exist. Confirm and trust any CLI (especially openclaw) before use. - The script sets default CLI flags that include dangerous options (e.g., --dangerously-skip-permissions for Claude). Remove or change these defaults and avoid auto-approve/ full-auto flags unless you understand the consequences. - The README shows system-level operations (sudo swap creation, systemd service): only do these in a controlled environment. Prefer a disposable VM/container or an isolated test repo/branch. Do not run as root. - Before running: search your repo and ralph.log for secrets; run the loop first in a throwaway repo; disable automatic notification delivery (or inspect the pending-notification file manually) to prevent unintended data exfil. If you want to proceed safely, run the script in an isolated sandbox, remove/modify the parts that export logs or schedule OpenClaw cron jobs, and avoid the permissive CLI flags. If you have concerns about OpenClaw or the coding CLI, do not grant them implicit access to your primary development environment.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (Ralph loop generator) matches the included scripts and templates. However, the package metadata declares no required binaries or env vars while the runtime script expects external CLIs (codex, claude, opencode, goose), git, and openclaw to be present; that's an omission that can surprise users. Requesting none of these in metadata is not proportional but could be an oversight rather than malicious.
Instruction Scope: concernSKILL.md and scripts instruct the agent/user to read and write project files, create .ralph/pending-notification.txt, include a base64-encoded tail of the log in notifications, and call openclaw cron/ gateway commands. The instructions also include commands that touch system state (systemd unit example, swap creation using sudo). Writing project path and log tails into a notification file and then attempting to schedule delivery to OpenClaw can expose sensitive data (secrets in logs, repo metadata). The SKILL.md also prescribes permission-bypassing flags (e.g., --dangerously-skip-permissions, references to auto-approve flags) which expand the agent's effective scope.
Install Mechanism: okThere is no install spec; this is an instruction-only skill plus a shell script. That minimizes hidden install-time risk (nothing downloaded/extracted by the skill itself).
Credentials: concernThe skill declares no required environment variables but the script uses and suggests RALPH_CLI, RALPH_FLAGS, and RALPH_TEST. More importantly, notifications include project path and a base64-encoded log tail, which may contain credentials or other secrets. The skill will attempt to call the local openclaw CLI (if present) to schedule cron events — this implicitly uses whatever OpenClaw credentials/config are present, but the skill does not declare or request them up-front. That mismatch (collecting and forwarding potentially sensitive runtime data without explicit credential/environment declarations) is concerning.
Persistence & Privilege: concernThe skill itself is not always-enabled and does not request persistent platform privileges, but its documentation and script encourage persistent deployment patterns: systemd service examples, cron scheduling via openclaw, and auto-restart. Combined with permissive CLI flags and notification scheduling, this enables long-lived autonomous behavior that can repeatedly read/write project files and dispatch notifications. Users could accidentally make it persistent with elevated effect.