Supernal Coding CLI
PassAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed developer CLI command guide, but it asks you to trust an unreviewed global npm package and includes autonomous/git/cleanup commands that can change a project.
Before installing, verify that you trust the npm package and understand what the CLI will modify. Use autonomous ralph, git automation, --fix cleanup, and cron/heartbeat jobs only in the intended repository and after reviewing their effects.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package would run and trust code that is not included in the reviewed artifacts.
The skill asks users to install a global npm CLI package, but the provided artifact set contains no package code or lockfile for review.
npm install -g @supernalintelligence/supernal-coding
Install only if you trust the package source; review the npm package details and prefer pinned versions or a sandboxed environment for first use.
If run in the wrong repository or without review, these commands could change files, branches, task state, or documentation indexes.
The documented commands can automate git workflow, autonomous task execution, and local file cleanup, which are powerful but aligned with the stated developer-workflow purpose.
sc git smart # Smart commits, branch management sc ralph execute task-name.md --max-iterations 10 know tidy --fix # Auto-fix issues (normalize tags, move misplaced files)
Run mutating commands only in the intended repository, preferably on a branch, and review changes before committing or pushing.
A scheduled cleanup could repeatedly modify or reorganize knowledge-store files without a fresh prompt each time.
The skill suggests recurring scheduled cleanup/reindexing. This is disclosed and user-directed, but it introduces persistent background behavior if the user implements it.
# Recommended: add to heartbeat or nightly cron know tidy --fix && know reindex
Do not add cron or heartbeat jobs unless you understand the affected paths and have reviewed the cleanup behavior.
A session key may grant access to link or identify OpenClaw session information.
The skill references an optional session key for linking tasks to a current session; this is plausible for dashboard integration but is a sensitive session-related value.
sc task link TASK-123 # Link to current session (needs OPENCLAW_SESSION_KEY)
Use the session-linking command only when needed, keep OPENCLAW_SESSION_KEY private, and avoid exposing it in logs or shared task notes.
Local project notes, tasks, or indexed knowledge could influence later agent work if stale or incorrect content is stored.
The skill describes local search, indexing, and persistent task storage, which may reuse local project or knowledge content across workflow tasks.
sc search <query> # Search across all content know reindex # Rebuild INDEX.md **Storage:** `.supernal/tasks/` (per-repo) or `~/.supernal/tasks/` (global)
Keep task and knowledge-store content accurate, avoid placing secrets in indexed notes, and confirm what paths the CLI searches or reindexes.