Skillv1.0.0

ClawScan security

Forge 🔨 Repair-Inspect Loop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 9:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely coherent with its stated purpose (an orchestrator for automated repair+inspection) but includes cross-project persistence of “universal” patterns and automatic commit/auto-loop behavior that could leak project-specific data or make unreviewed changes; these behaviours deserve careful review before use.
Guidance: This skill appears to implement the advertised repair→inspect orchestration, but take these precautions before installing or running it on real repositories: 1. Audit scripts/forge.py (search for subprocess.run/exec/git calls and any network operations). Confirm exactly how commits and external commands are executed. 2. Disable auto-commit and automatic auto-looping during initial evaluation (set config.auto_commit = False and run single-step manual flows). Require human approval before any git push or commit to protected branches. 3. Review how 'universal' patterns are extracted and stored (forge/reflections/patterns.jsonl). If you will run this across multiple projects, either turn off universal extraction or ensure a strict sanitization step to remove any project-specific paths, sample data, or secrets. 4. Treat the doc-sync step as untrusted code execution: it will run project-provided scripts (e.g., scripts/tools/doc-sync-checker.py) if present. Only enable that in isolated/test environments or after reviewing those scripts. 5. Populate protected-files.txt for anything that must never be touched (credentials, deployment scripts, CI config). Test the protected-files enforcement on a sandbox repo with safe dummy files. 6. Run the skill first in a disposable clone/branch with no secrets, and inspect forge-output and reflections files to ensure no sensitive data is being recorded or leaked across projects. If you want, provide the full forge.py content (or search results for subprocess/git/network usage) and I can point to the exact lines to review and suggest safer configuration changes.

Review Dimensions

Purpose & Capability: okName/description match what is present: an orchestrator for repair→inspect loops. The artifact contains an orchestrator script (scripts/forge.py), role templates, protocol docs, and state/reflection file conventions. It does not request unrelated credentials or binaries.
Instruction Scope: concernThe SKILL.md directs the agent to run forge.py to create tasks, spawn repair/inspect sessions, write outputs into the project (forge-output/), and automatically extract and reuse repair patterns. It also will try to run project-side helpers (e.g., scripts/tools/doc-sync-checker.py) if present. Two concerns: (1) the universal 'patterns.jsonl' is reused across all projects — project-specific information may be insufficiently sanitized and could be injected into later repairs on other projects; (2) the doc-sync step and other scripted steps execute project-provided code, which can run arbitrary code in the project environment. Both are outside the minimal scope of “orchestration” and increase risk.
Install Mechanism: okThere is no external install spec — this is instruction + bundled script. No network downloads or remote installers are involved in the skill bundle itself, which reduces supply-chain risk.
Credentials: noteThe skill does not request environment variables or credentials. However it persistently stores two cross-cutting artifacts: a universal reflections file inside the skill (forge/reflections/patterns.jsonl) and project-specific reflections (project/forge-reflections.jsonl). If the extraction/sanitization heuristics fail, sensitive project data (paths, examples, tokens, or config snippets) could be recorded and then exposed to other projects' runs.
Persistence & Privilege: concernThe orchestrator will modify project state (forge-state.json, forge-output/, forge-reflections.jsonl) and — per the protocol — auto-commit changes on PASS (config.auto_commit = True by default). Combined with automatic retry loops ('auto-loop on FAIL' and up to 5 rounds) and cross-project universal pattern accumulation, the skill has a persistent and far-reaching footprint. While not flagged as always:true, the skill still performs high-privilege actions (writing, committing, executing project scripts) without human review by default.