Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ghostclaw
v1.0.1Architectural code review and refactoring assistant that perceives code vibes and system-level flow issues. Use for analyzing code quality and architecture,...
⭐ 0· 470·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included analyzer, watcher, and CLI code: the package is built to scan repos, compute metrics, and optionally open PRs. However some source references (ghostclaw.lib.* modules like VibeCache, GitHubClient, Notifier) are referenced by the CLI/watcher but are not present in the provided file manifest or file listing — this is an internal inconsistency that will likely cause runtime failures.
Instruction Scope
SKILL.md and HOOK.md instruct the agent to clone/pull repositories, scan arbitrary repositories (local or remote), write timestamped report files into target repositories, and open PRs automatically. Those instructions imply reading and modifying arbitrary repos on disk and network access to GitHub; those behaviors are consistent with the stated purpose but are sensitive (access to repo contents and the ability to create commits/PRs). The skill also instructs being run as a hook reacting to system/command events — this expands its runtime surface significantly if enabled.
Install Mechanism
No formal install spec in registry; SKILL.md suggests 'pip install -e .' and the code contains an update routine that uses git pull or pip to self-update. There are no suspicious remote download URLs in an install spec, but the self-update logic will run 'git pull' and 'pip install' which can execute code fetched from whatever remote the installed package is tracking — this is standard but worth noting if provenance is uncertain.
Credentials
The registry metadata lists no required env vars, but SKILL.md and code clearly expect credentials: GH_TOKEN (or --gh-token / gh CLI auth) for PR automation, optional Telegram tokens for notifications, and it uses dotenv. These credentials are not declared in requires.env. The skill asks for ability to run 'gh' and 'git' and to write into repos; those privileges should be considered sensitive and should be tied to explicitly-declared, scoped credentials. The mismatch between what's declared and what the code uses is problematic.
Persistence & Privilege
always:false (good). However HOOK.md documents enabling Ghostclaw as an OpenClaw hook that listens to command/system events and can run automatically and open PRs. Enabling such a hook gives ongoing background access to analyze and modify repos — a powerful capability that should only be granted if you trust the skill's provenance. The skill itself does not request to be always-enabled, but can be made persistent by user action.
Scan Findings in Context
[no_pre_scan_signals] expected: The regex-based pre-scan reported no injection signals. That doesn't offset the other inconsistencies (missing referenced modules, undeclared env vars). Absence of findings is not proof of safety.
What to consider before installing
What to consider before installing or enabling Ghostclaw:
- Missing/undeclared pieces: The code references helper modules (ghostclaw.lib.* like VibeCache, GitHubClient, Notifier) that are not present in the provided manifest. This will likely break at runtime — ask the publisher for the full package or inspect the missing files before use.
- Credentials: The tool uses GH_TOKEN (or --gh-token) and can open PRs and push branches. Do NOT supply a full-all-scopes token. If you must provide a token, create a narrowly-scoped GitHub token with the minimum permissions (or use gh CLI auth with limited scope), and only for repositories you trust.
- Hooks & autonomy: Enabling the hook gives the skill ongoing access to analyze and modify repositories on events. Only enable hooks if you trust the author's provenance and reviewed the code. The skill is not 'always' forced on by default, but enabling hooks grants background capability.
- Self-update risk: The CLI can run 'git pull' and 'pip install' to update itself. That means new code could be pulled and executed. Prefer installing from pinned, auditable releases or from a trusted package index; avoid enabling automatic self-updates without review.
- Run in isolation first: Try running the tool in a sandbox or on a non-sensitive/local test repo to observe behavior (and confirm missing modules) before letting it scan important repos or giving it credentials.
- Ask for provenance: The registry lists no homepage/official source in metadata; HOOK.md references a GitHub URL. Verify the upstream repository, publisher identity, and release artifacts before trusting automated write/PR behavior.
If you want, I can: (1) list the exact import/filename mismatches found so you can ask the author for missing files, or (2) suggest exact minimal GitHub scopes for a token if you decide to run it with limited privileges.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6v3pd3xmwdccr1qjckkd0n83f6vb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.