Skillv1.2.0

ClawScan security

Qclaw Workbuddy Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 2:33 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly coherent with a file-based queue bridge, but documentation and runtime instructions contain inconsistencies and the prompts encourage automatic writing of tasks that may include local file paths—these issues warrant caution before installing.
Guidance: What to check and do before installing: - Fix the path/filename inconsistency: SKILL.md sometimes tells QClaw to run python3 ~/.workbuddy/queue/qclaw_tasks.py, but the shipped script is scripts/qclaw_queue.py under ~/.workbuddy/skills/qclaw-workbuddy-bridge/. Confirm which path will be installed and update all commands to the same, correct path. A mismatched path can cause failed runs or accidental execution of a different script placed in the queue directory. - Review and limit what QClaw will automatically enqueue. The provided prompt encourages automatic queuing for many conditions (including tasks that access local files). Consider restricting automatic enqueuing to explicit user consent, or require a confirmation step before writing tasks that include local file paths or sensitive context. - Restrict file paths and privileges for WorkBuddy execution. Because tasks may include local paths, ensure WorkBuddy runs in a sandbox, or add validation to prevent reading sensitive system files. Use least privilege for any automations that process queue entries. - Protect the queue directory: set tight filesystem permissions (owner-only) and monitor/validate files placed in ~/.workbuddy/queue. Because some doc commands reference executing scripts under ~/.workbuddy/queue, ensure no untrusted files can be executed from that location. - Test in a safe environment first: run the scripts locally on a non-production account to validate behavior (add/list/poll/done) and confirm triggers and file writes behave as expected. - If you need higher assurance, request the author to (a) correct documentation inconsistencies, (b) include optional safeguards (confirmation prompts, path whitelists), and (c) sign or package the script in a predictable install location so QClaw/WorkBuddy run the intended code.

Review Dimensions

Purpose & Capability: noteThe stated purpose (a simple QClaw ↔ WorkBuddy bridge using a shared JSON queue) matches the included Python queue manager and the documented file-based architecture. Nothing in the code requires cloud credentials or unrelated system access. However, SKILL.md contains inconsistent command paths (references to qclaw_tasks.py in ~/.workbuddy/queue vs the actual script qclaw_queue.py located in ~/.workbuddy/skills/...), which is an incoherence between documentation and shipped files.
Instruction Scope: concernThe runtime instructions tell QClaw to proactively write tasks into the queue whenever many broad conditions are met (including when tasks require access to local files). That behavior is plausible for a delegation bridge, but it expands the agent's authority and can lead to unintended exposure of local file paths and data. The WorkBuddy side is instructed to "自主执行任务（调用所有需要的工具、Skill 完成工作）", granting broad discretion to use other tools/skills when executing tasks. Also the docs inconsistently reference different script paths/filenames (qclaw_tasks.py vs qclaw_queue.py), which could cause misconfiguration and unintended execution of files in the queue directory.
Install Mechanism: okNo install spec (instruction-only with a helper script) — lowest-risk install behavior. The only code is a small Python script that reads/writes JSON files under ~/.workbuddy; no downloads or external installers are included.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. However, the design intentionally passes file paths and user/context information through the queue; if users or QClaw supply sensitive local paths, WorkBuddy (or any automation processing the queue) may access those files. The SKILL.md instructs QClaw to ask for local file paths and include them in the task context, which is functionally necessary but increases data-exposure risk.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills’ configurations. It writes files under the user's home (~/.workbuddy) which is expected for a user-space queue bridge. No privileged system changes are performed.