Fork Manager
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fork-manager Version: 2.0.1 The skill is suspicious due to a critical Remote Code Execution (RCE) vulnerability in the `postSyncHooks` feature, as described in `SKILL.md`. This feature allows the agent to execute arbitrary shell commands defined in the `config.json` file, which could be exploited if the configuration file is compromised. Additionally, the AI-driven automatic conflict resolution for 'semantic' conflicts, while intended to be helpful, introduces a significant risk of introducing subtle bugs or vulnerabilities into the codebase, as the AI's interpretation of code logic might be flawed, and these changes are pushed to the remote repository.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A configured cron/full-sync run could update or push branches automatically, which may affect CI, collaborators, or deployments tied to those branches.
The skill can run git/gh workflows that rebase and push branches without interactive prompts when intentionally used in cron mode. This is expected for automated fork syncing, but it can change remote repository state.
Cron Mode ... Skip interactive prompts ... Rebases: attempt automatically ... If rebasing 20+ PRs, batch push at the end instead of per-branch
Use this only on repositories and branches where automated rebasing/pushing is acceptable; consider branch protection, backups, and manual review for production branches.
Repository operations may continue in a worker session rather than directly in the main chat, reducing immediate visibility into every command.
The skill instructs the main agent to spawn a worker subagent, monitor it, kill/restart it if stalled, and retry up to two times. This is disclosed and bounded, but it gives the workflow more autonomous execution behavior.
A skill NUNCA deve ser executada inline pelo agente principal. Sempre usar o padrão orchestrator/worker ... sessions_spawn ... Máximo de 2 retries
Monitor spawned sessions, review their history/output, and avoid using cron or auto-retry modes on sensitive repositories unless you are comfortable with unattended execution.
The skill may act with the permissions of whichever GitHub account and git remotes are configured locally.
Git and GitHub CLI commonly use the user's existing local GitHub login, SSH keys, or git credentials for API access and pushes. That access is expected for this skill's purpose.
Requires Git and GitHub CLI (gh).
Before running, verify `gh auth status`, repository remotes, and branch targets so the skill uses the intended account and fork.
Local configuration and history could reveal repository paths, workflow details, and maintained patch information if accidentally shared or committed.
The skill keeps persistent per-repository state such as local paths, PR lists, and sync history. This is purpose-aligned but should be treated as local private context.
config.json files are not versioned in Git ... Contains environment-specific information (local paths, PR lists, sync history)
Keep `repos/*/config.json`, checkpoints, and history files out of public repositories and review them before sharing the skill directory.