Skillv1.0.0

ClawScan security

Zouroboros Autoloop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 8:09 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package and its runtime instructions match the described autonomous single-metric optimization purpose — it edits a single target file, commits to git, runs arbitrary experiments, and keeps/reverts changes — but it performs powerful filesystem and shell operations that you should only run on non-sensitive repos or in isolated environments.
Guidance: This package is coherent with its stated purpose but is powerful: it will execute arbitrary commands specified in program.md, modify and commit files in the repository (including hard resets), spawn detached processes, and send the target file contents + experiment history to whatever executor CLI you choose (which may transmit them off-host). Before installing or running: 1) review program.md carefully and never point it at repositories with secrets or sensitive data; 2) prefer running autoloop in an isolated/test repository or container; 3) verify/choose an executor you trust (the executor controls where prompts go); 4) run --dry-run first and inspect results.tsv and created branches before letting the loop continue; 5) inspect package source and package-lock for any unexpected dependencies; 6) avoid running as root and back up your repo (or use a disposable clone) because autoloop can commit/revert and runs git reset operations.

Review Dimensions

Purpose & Capability: okName/description, required binaries (node, git), CLI binaries (autoloop, autoloop-mcp), and the code (parsing program.md, editing target file, committing with git, running experiments) are coherent. The requested capabilities are exactly what an autonomous edit/experiment loop needs.
Instruction Scope: noteSKILL.md and the code instruct the agent to: read a program.md, read and write the specified target file, run the configured runCommand and metric extraction shell commands, commit/revert via git, and call an external executor CLI (e.g., 'openclaw ask') to generate proposed changes. This is consistent with the purpose, but it inherently grants broad power: arbitrary shell commands from program.md will be executed in the working directory, and the target file contents (and recent experiment history) are sent to the chosen executor — which may transmit them to external services. Users should be aware of data-exfiltration and arbitrary-code-execution risks inherent to this workflow.
Install Mechanism: okInstall spec is an npm package (zouroboros-autoloop) that provides the two CLI scripts. The repository includes package.json and package-lock.json and no opaque remote download/extract steps — this is the expected install mechanism for a Node CLI.
Credentials: okThe skill does not declare or require environment credentials or config paths. The code reads process.env when spawning shell commands (normal), but there are no unexpected credential requests. The executor command (user-specified) could use external API keys that the user supplies separately — which is expected and under user control.
Persistence & Privilege: okalways is false and the skill does not demand permanent platform-wide privileges. It creates/writes files and commits in the project directory (expected behavior), spawns detached processes for long-running loops, and writes/reads a .autoloop.lock file. It does not attempt to modify other skills or global agent configuration.