Skillv1.0.0

ClawScan security

LEIO SDLC · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 12, 2026, 8:35 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a genuine SDLC orchestrator (files and templates match the description) but its runtime instructions include strong, hard-coded directives for the agent to execute whatever appears in the orchestrator's stdout (and the skill embeds aggressive, “do-not-ask” planner prompts and system-prompt–style patterns), which is inconsistent and risky — review before use.
Guidance: What to consider before installing/using this skill: 1) Review orchestrator.py and spawn_* scripts before running. Focus on subprocess.exec/subprocess.run usage, whether they invoke shells or write/execute temporary files, and whether they parse and then re-emit instructions that cause the agent to take further actions. Ensure temp-file creation is secure (unique names, correct permissions) and files are cleaned up. 2) Watch the dangerous runtime rule: the SKILL.md requires the agent to "strictly execute" any instructions that appear below the marker '[ACTION REQUIRED FOR MANAGER]' in the orchestrator stdout. That effectively allows the orchestrator to inject commands into the agent. Decide if you will enforce human confirmation for such outputs or modify the SKILL.md/orchestrator to require manual approval. 3) Run initially in an isolated, non-production environment (throwaway VM/container) with limited permissions. Set HOME_MOCK or otherwise redirect ~/.openclaw to a temp directory to prevent accidental deployment to your real OpenClaw instance or restarting real services. 4) Check credential needs: scripts reference a GitHub sync script and restart of the OpenClaw gateway — verify what Git credentials or system permissions will be required and do not provide secrets without auditing the code paths that use them. 5) Audit prompts.json and playbook templates for 'auto-run' directives (e.g., 'DO NOT ASK FOR PERMISSION', 'Start now'). These force automated generation/execution — consider hardening by requiring explicit human approval (a gating step) before Planner/Coder/Reviewer start creating commits or PRs. 6) If you plan to allow autonomous invocation, restrict it until you've validated the behavior above. If you cannot review the code, treat the skill as risky: disable autonomous invocation and require user invocation only with human-in-the-loop approvals. 7) If you want help: I can (a) scan orchestrator.py for subprocess/exec usage and temporary-file patterns, (b) summarize places where the orchestrator writes to ~/.openclaw or calls external sync/restart, and (c) propose edits to the SKILL.md to remove the automatic-execute-on-stdout rule so manager actions require explicit confirmation.
Findings: [system-prompt-override] unexpected: Pre-scan flagged system-prompt-override patterns. SKILL.md and config/prompts.json include firm 'MUST'/'DO NOT ASK' language and a runtime instruction to execute manager actions derived from orchestrator stdout, which functions like a prompt-injection mechanism and is not necessary for a safe SDLC orchestrator. [unicode-control-chars] unexpected: Pre-scan detected unicode-control-chars in SKILL.md content. Such characters are sometimes used to obfuscate or alter prompt handling; their presence is unexpected for a straightforward runbook and warrants manual inspection of the SKILL.md and orchestrator outputs.

Review Dimensions

Purpose & Capability: noteThe name/description (SDLC orchestrator) matches the large included codebase: orchestrator.py, spawn_*.py, Planner/Coder/Reviewer playbooks, deployment and rollback scripts, and many PRD/test templates. The requested resources (none declared) are minimal, which is coherent for an instruction-only skill that operates on the workspace. Note: deployment scripts reference openclaw gateway restart and an optional GitHub sync script — these imply filesystem and system-service effects (restarts, writes under ~/.openclaw) that are reasonable for an SDLC Skill but require OS permissions not declared in the metadata.
Instruction Scope: concernSKILL.md mandates the agent must start scripts/orchestrator.py and—critically—'MUST strictly execute the instructions provided below' the exact stdout marker '[ACTION REQUIRED FOR MANAGER]'. That turns arbitrarily-produced orchestrator stdout into authoritative commands for the manager agent, effectively granting the skill the ability to inject runtime instructions into the agent. Additionally, config/prompts.json contains aggressive 'DO NOT ASK FOR PERMISSION' and immediate-execution directives for Planner/Coder/Reviewer personas. These behaviors broaden the agent's action scope beyond benign orchestration and create a plausible vector for prompt-injection-style control.
Install Mechanism: okThere is no install spec (instruction-only kit with many code files bundled). No remote downloads or extract phases were detected in the manifest. That lowers supply-chain risk compared to network installs. The included deploy/rollback scripts operate by copying files into ~/.openclaw and restarting the OpenClaw gateway, which is standard for skill deployment but will have side effects on the host if executed.
Credentials: noteThe skill declares no required env vars or credentials, which is consistent with a local orchestration engine. However, multiple scripts reference external sync (a GitHub sync script) and call 'openclaw gateway restart' and perform hard-copy deploys to ~/.openclaw; those actions may implicitly require credentials/privileges (file-system ownership, ability to restart services, access to Git remotes) that are not declared. It's advisable to verify what credentials (SSH/git tokens, sudo/system permissions) will actually be required before running.
Persistence & Privilege: okalways:false and no install-time modifications are declared. The skill is not asserting permanent privileged presence in the agent. That said, deploy scripts write to the user's ~/.openclaw and backups under ~/.openclaw/.releases and can restart the OpenClaw gateway; running these scripts will persist files and change runtime state on the host, so the user should expect those side-effects.