Wander Monitor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s CI-monitoring purpose is coherent, but it tells the agent to automatically run unreviewed background shell scripts after pushes using the user’s GitHub setup.
Install only if you trust the Wander repository and are comfortable with the agent starting background monitors after pushes. Prefer pinning the Wander version, inspecting wrapper scripts before use, and requiring confirmation before any automatic background execution.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A push could cause unexpected background commands to run in the working repository.
This directs the agent to automatically launch background shell-based monitoring after pushes, including repository-local wrapper scripts, without an explicit confirmation step.
After every `git push` that triggers GitHub Actions, start Wander in background mode ... If `.workflows.yml` exists in the repo root: prefer a project wrapper (`scripts/watch-*.sh`) when present.
Make monitoring opt-in or require confirmation before starting; show the exact command and wrapper path before execution.
The behavior depends on code that is not included in this package and may change outside the skill review.
The install guidance pulls executable scripts from an external repository without a pinned commit or release, then the skill later instructs the agent to run those scripts automatically.
git clone https://github.com/ERerGB/wander.git ~/code/wander cd ~/code/wander chmod +x *.sh
Pin Wander to a reviewed commit or release, include checksums or a signed release, and avoid automatic execution until the installed scripts are inspected.
Commands run by Wander may act with the GitHub permissions already available to the local gh CLI.
The monitoring workflow relies on the user's GitHub CLI authentication, which is expected for GitHub Actions monitoring but should be visible to the user.
`gh` CLI installed and authenticated
Use a minimally scoped GitHub login/token and review any command before allowing reruns or other workflow actions.
Monitoring processes and log files may remain after the initial interaction.
Detached/background modes are disclosed and fit the monitoring purpose, but they continue outside the immediate terminal session and write persistent logs.
| Detached | `watch-workflow-detached.sh` | Close terminal; logs under `~/.wander_logs/` |
Tell users when detached/background mode is used, where logs are written, and how to stop or clean up monitors.