ClawHub Retry & Fallback
ReviewAudited by ClawScan on May 1, 2026.
Overview
No clear malicious behavior was found; this is a retry/fallback utility, but it can automatically repeat or reroute tool calls and keep local audit logs.
This appears suitable if you need retry/fallback handling, but use it carefully: avoid automatic retries for actions with side effects unless they are idempotent, require confirmation before switching tools for sensitive actions, review degraded results before relying on them, and manage local audit logs so they do not retain secrets.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A failed payment, post, delete, or other side-effecting action could be attempted again or sent through a backup function if the user wraps it with this retry/fallback logic.
The skill is intentionally designed to retry failed calls and automatically switch to backup tools. This matches the purpose, but if applied to non-idempotent actions it could repeat or reroute actions the user did not intend to perform multiple times.
自动重试执行 ... **备用工具自动切换** | 智能匹配备用工具池,自动参数映射
Use automatic retry mainly for read-only or idempotent operations, and require human confirmation for destructive, financial, public-posting, or account-changing actions.
Downstream automation could treat a partially completed workflow as successful if it only checks the success flag.
A critical-step failure can be represented as a medium degradation and still return success=True unless callers inspect the degradation level and failed_steps fields.
current_level = DegradationLevel.MEDIUM ... failed_steps.append(step.name) ... success = len(failed_steps) == 0 or current_level != DegradationLevel.HEAVY
For important workflows, require callers to check level, failed_steps, and skipped_steps, not just success; consider treating any critical-step failure as requiring user review.
If exception messages or parameters contain secrets or private data, those details may remain in local audit logs or exported reports.
The audit logger persists retry/fallback/degradation details, including exception messages and task details, to local JSONL files.
self.log_dir = Path(log_dir) if log_dir else Path('./logs') ... 'exception_message': exception_message ... f.write(json.dumps(entry.to_dict(), ensure_ascii=False) + '\n')Avoid logging secrets, choose an appropriate log directory, and set retention or cleanup practices for audit files.
Future dependency versions could differ from what was originally tested, and provenance is not strongly established.
The documented install uses lower-bound dependency versions rather than pinned versions; the registry metadata also lists the source as unknown and no homepage.
retry>=0.9.1 pyyaml>=6.0 python-json-logger>=2.0.0
Install in a virtual environment, pin dependency versions if using this in production, and verify the package source before deployment.