Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Ops
v1.1.0Agent session 运维工具。当需要检测和恢复 API 限速、回收死 session 的知识、在破坏性操作前自动快照、或监控 context 使用率时使用。不用于安装 hook 脚本(用 agent-hooks)或架构设计(用 harness-design-patterns)。
⭐ 0· 67·0 current·0 all-time
by_silhouette@lanyasheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (rate-limit recovery, stale-session scavenging, checkpoint/rollback, token budgeting, model fallback) aligns with the scripts and reference docs: they operate on tmux panes, transcripts, and session files. However the skill metadata lists no required binaries or environment variables while the instructions and scripts clearly rely on external tools (tmux, git, jq, cron/systemd for daemons). The missing declaration is a coherence/packaging omission.
Instruction Scope
Runtime instructions include scanning tmux panes and sending Enter keys into panes, creating git checkpoints via `git add -A` and `git stash create`, running a stale-session daemon that reads transcripts and writes scavenged artifacts. These actions are within the stated domain but have nontrivial risk: blind or mistaken keystrokes can confirm destructive prompts, `git add -A` temporarily changes index state, and daemon transcript analysis may read and persist sensitive session data. The skill does include some safety checks (e.g., grep for confirmation prompts before sending Enter), but those checks are regex-based and can miss edge cases.
Install Mechanism
No install spec (instruction-only plus two small files). This is lower risk from a code-install perspective because nothing is downloaded or executed outside the repository. Files are small and human-readable. There is no packaged installer that would fetch arbitrary remote code.
Credentials
The skill requests no credentials or env vars, which is appropriate. That said, it expects access to local session state under sessions/<session-id>/ and to system tools (tmux, git, jq). Those local filesystem and binary accesses are consistent with its purpose but should be explicitly declared so users can evaluate permissions and side effects.
Persistence & Privilege
The skill recommends running daemons or cron jobs and writes state to sessions/* (heartbeat, checkpoint, failure-tracker.json, scavenged files, PID/state files). It does not set always:true or require platform-level privileges, but it does request persistent local presence and will create/modify files under session directories; users should consider where those directories live and who can read them.
Scan Findings in Context
[uses-tmux-capture-and-send-keys] expected: Rate-limit recovery and session ops legitimately require inspecting tmux panes and optionally sending keys; the presence of tmux commands matches purpose but is potentially dangerous if misapplied.
[git-add-stash-create-apply] expected: Checkpoint/rollback implementation uses git to snapshot and restore repository state. This is expected for the stated pattern but has side effects (temporary index modification, possible stash application errors) that need caution.
[uses-jq-and-reads-transcripts] expected: Parsing transcript JSONL with jq is expected for token estimation and stale-session scavenging; it implies reading potentially sensitive session transcripts which will be processed and stored locally.
[daemon-cron-file-io] expected: The references describe running a background daemon or cron job and writing persistent state files (heartbeat, trackers, PID). This matches the 'daemon' functionality but increases persistence surface area.
What to consider before installing
This skill is coherent with its stated goal of managing agent sessions, but it assumes and performs actions you should review before installing. Before you proceed:
- Inspect the scripts (context-usage.sh and the reference patterns) yourself. They are small and readable.
- Ensure the environment where you run this has tmux, git, and jq installed; the package metadata should declare these but currently does not. Don't run it on a system lacking those tools or on production hosts without testing.
- Understand side effects: the skill will read transcripts, write files to sessions/<session-id>/, create git checkpoints with `git add -A` (temporarily changing the index), and may apply stashes on rollback. Back up repositories or test in an isolated workspace.
- Pay attention to the tmux recovery logic: although it checks pane contents before sending Enter, regex checks can miss prompts. Prefer manual recovery when sessions run destructive shells; consider limiting which sessions the daemon scans.
- If you plan to enable a daemon/cron, control its user account and file permissions (sessions/ should be accessible only to the intended user) to avoid leaking transcripts or scavenged data.
- Ask the publisher to update metadata: list required binaries (tmux, jq, git) and explicitly document the directories it writes to and the daemon behavior. If you are not comfortable with automatic keystrokes or automatic git operations, do not install or run these components.Like a lobster shell, security has layers — review code before you run it.
latestvk9778pp00j95x0vnsgremgf9rd84bjmw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.