Code Archaeology
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill does not show malware or exfiltration, but its helper scripts appear hardcoded to one finance/PHP example while the skill claims broad legacy-code analysis, which could mislead users and downstream agents.
Use this skill cautiously as a drafting or template aid, not as a trusted analyzer. Before letting AI Plan Generator or ClawTeam act on its outputs, verify that every generated rule, API spec, and migration recommendation is actually supported by your codebase. Keep analysis directories private and remove sensitive outputs when finished.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users or agents may trust generated migration plans, business rules, or security recommendations that are not actually derived from their project.
The helper code is hardcoded around a specific zbs_php/finance analysis and can label generated rules as based on Code Archaeology analysis, despite the skill description claiming broad analysis of PHP, Java, Python, or other legacy systems.
const files = [ 'zbs_php_api_analysis.md', 'zbs_php_security_audit_results.md', ... ]; ... return ['finance']; // 默认返回财务域 ... title: '财务业务规则(基于Code Archaeology分析)'
Require the tool to fail when expected project-specific inputs are missing, clearly label sample/template output, and validate generated documents against the real codebase before using them for planning or automated work.
Incorrect analysis could drive broader automated planning or implementation work across a project.
The skill's outputs are intended to feed downstream AI planning and ClawTeam workflows. If the generated context is hardcoded or inaccurate, the error can propagate into multi-agent migration tasks.
Context Documents: AI-executable business rules and technical specifications ... clawteam create --name "finance-migration" --description-file campaign.md
Treat generated context as draft material only, require human review before ClawTeam use, and add checks that tie every generated rule/specification back to source evidence.
Sensitive project knowledge may remain in workspace files and be reused in later analysis.
The skill persistently stores analysis artifacts that may include proprietary business logic, vulnerability findings, and references to source code.
The analysis is stored in `.code-archaeology/` directory within your workspace for future reference and incremental updates.
Run it only on intended repositories, review stored outputs for secrets or sensitive details, and delete or protect `.code-archaeology/` when no longer needed.
Users may run the wrong file path or rely on packaging details that do not match the submitted artifacts.
The README documents manual execution from a hard-coded local path and a scripts/ directory layout that does not match the provided file manifest, creating some provenance and usability ambiguity.
cd /Users/admin/.npm-global/lib/node_modules/openclaw/skills/code-archaeology/scripts node convert-to-ai-plan-generator.cjs
Fix the documented paths, align metadata and package layout, and clearly declare which scripts are intended to be run.