Automate
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated script could change files or run local commands if executed.
The skill can lead the agent to generate and execute scripts. That is central to the stated automation purpose, but generated code should still be reviewed before it runs.
- 3rd time: Stop. Write the script first, then run it.
Require review and explicit approval before running generated scripts, especially scripts that modify files, call APIs, or affect repositories.
If copied directly, a script could commit and push accidental changes or sensitive files.
The Git workflow template stages all changes and pushes them. This is transparent and purpose-aligned for automation, but it is broad and could publish unintended files if used without review.
git add -A && git commit -m "$1" && git push
Review diffs before commit, avoid blanket `git add -A` for sensitive repos, and require confirmation before pushing.
If adapted carelessly, a script could use the wrong credential or send a token to an unintended endpoint.
The authenticated API template reads a local keychain token and sends it as a bearer token. This is expected for API automation, but credential use should be scoped and destination-checked.
TOKEN=$(security find-generic-password -a clawdbot -s api_token -w) curl -s -X "$1" -H "Authorization: Bearer $TOKEN" "https://api.example.com$2"
Use least-privilege service-specific tokens, verify the API host before running, and avoid printing or logging tokens.