Automate
PassAudited by ClawScan on May 1, 2026.
Overview
This is a transparent automation-advice skill, but users should review generated scripts before they run, especially when they touch files, Git repositories, APIs, or credentials.
Before installing, be comfortable with the agent proposing automation scripts. Review each generated script before execution, especially scripts that rename or edit files, commit or push code, call APIs, or retrieve credentials from the local keychain.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated script could change files or run local commands if executed.
The skill can lead the agent to generate and execute scripts. That is central to the stated automation purpose, but generated code should still be reviewed before it runs.
- 3rd time: Stop. Write the script first, then run it.
Require review and explicit approval before running generated scripts, especially scripts that modify files, call APIs, or affect repositories.
If copied directly, a script could commit and push accidental changes or sensitive files.
The Git workflow template stages all changes and pushes them. This is transparent and purpose-aligned for automation, but it is broad and could publish unintended files if used without review.
git add -A && git commit -m "$1" && git push
Review diffs before commit, avoid blanket `git add -A` for sensitive repos, and require confirmation before pushing.
If adapted carelessly, a script could use the wrong credential or send a token to an unintended endpoint.
The authenticated API template reads a local keychain token and sends it as a bearer token. This is expected for API automation, but credential use should be scoped and destination-checked.
TOKEN=$(security find-generic-password -a clawdbot -s api_token -w) curl -s -X "$1" -H "Authorization: Bearer $TOKEN" "https://api.example.com$2"
Use least-privilege service-specific tokens, verify the API host before running, and avoid printing or logging tokens.