Ghostclaw
PassAudited by ClawScan on May 1, 2026.
Overview
Ghostclaw appears purpose-aligned for code architecture review, but its optional background monitoring, GitHub PR automation, credential use, and reporting features should be enabled carefully.
Ghostclaw is not showing artifact-backed malicious behavior. Before installing, decide whether you actually want background scans, PR automation, self-updates, caching, or Telegram notifications. If you use GitHub automation, use least-privilege credentials and keep the repository list narrowly scoped.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, Ghostclaw can create visible branches, commits, and pull requests in repositories.
When --create-pr is used, the tool creates a branch, commits a report, pushes it, and opens a GitHub PR. This is disclosed and purpose-aligned, but it mutates repositories and GitHub state.
subprocess.run(["git", "checkout", "-b", branch_name]...); subprocess.run(["git", "commit", "-m", ...]); subprocess.run(["git", "push", "origin", branch_name]...); pr_cmd = ["gh", "pr", "create", "--title", title, "--body", body]
Use --create-pr only for repositories where this is acceptable, review generated reports before publishing, and prefer dry-run or no-write modes when testing.
If enabled, Ghostclaw may keep scanning projects and producing feedback or PRs without a fresh manual invocation each time.
The hook mode is a disclosed persistent/background mode that can act on command and system events. It is not shown as hidden, but it is a higher-trust operating mode.
Ghostclaw operates in the background... Listens to Events... periodic system heartbeats... can silently log its findings or proactively open PRs if issues cross a threshold.
Enable hook or cron mode only for specific repositories, keep autoCreatePRs disabled unless intended, and know how to disable the hook.
A broadly scoped GitHub token could allow repository changes beyond what the user intended for architecture reporting.
GitHub credentials are expected for PR automation, but they give the skill delegated authority over repositories.
Set `GH_TOKEN` env variable for PR automation
Use a fine-grained token with the minimum repository permissions needed, and avoid sharing broad personal access tokens with background watcher mode.
PR and notification behavior may depend on code not present in the supplied artifacts or may fail if the package is incomplete.
Watcher mode references helper modules for cache, GitHub, and notifications that are not listed in the provided file manifest, while the registry also has no install spec. This looks more like incomplete packaging than malicious behavior, but users should verify the package source before using those features.
from ghostclaw.lib.cache import VibeCache from ghostclaw.lib.github import GitHubClient from ghostclaw.lib.notify import Notifier
Install only from a trusted source and verify the complete package contents, especially the GitHub and notification helper modules, before enabling automation.
Running the update option can execute package installation/update logic from external sources.
The self-update path can run git pull or pip install. It is user-invoked and disclosed, but it can replace code with a newer package version.
parser.add_argument("--update", action="store_true", help="Self-update Ghostclaw via pip or git") ... subprocess.run([sys.executable, "-m", "pip", "install", "--upgrade", "ghostclaw"], check=True)Avoid --update unless you trust the package source and prefer reviewing updates through your normal dependency-management process.
Architecture findings and repository metadata may remain on disk after analysis.
The tool persists analysis reports locally. This is expected for trend analysis and performance, but reports can reveal repository structure and issue summaries.
This cache stores full analysis reports keyed by a fast repository fingerprint... self.cache_dir = Path.home() / ".cache" / "ghostclaw"
Use a custom cache directory or clear the cache for sensitive repositories.
Project names and architectural issue summaries could be shared outside the local environment.
Notification mode can send repository names, scores, issue summaries, and PR URLs to an external messaging service when enabled.
parser.add_argument("--telegram-token", help="Telegram bot token") ... notifier.notify(repo=repo_url, vibe_score=vibe_score, delta=delta, issues=issues[:10], pr_url=...)Enable notifications only for approved channels and avoid sending sensitive repository information to untrusted chats.