Skillv1.0.0

ClawScan security

Ralph · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 9:18 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (a persistence loop that iterates until a task is verified complete) matches most of the instructions, but there are several inconsistencies and scope concerns (file paths, an unexplained /cancel action, and broad filesystem/command activity) that warrant caution before installing.
Guidance: This skill implements what it claims (a persistence loop that verifies completion) but there are several issues to consider before installing: - Inconsistencies to check: README path (~/.claude/...) differs from SKILL.md (~/.openclaw/...). Confirm the intended install location and ownership before cloning or running scripts. - Ambiguous agent interactions: the script references delegating to other agents and invokes an unexplained '/cancel' command. Ask the author what those do and how they interact with your agent runtime. - File system and command execution: Ralph will create state under your home directory and run project commands (npm test/build, grep across your working tree). npm scripts can execute arbitrary code from the repository — run only in projects you trust or within an isolated environment. - Long-running loops: the skill can iterate repeatedly (up to 10 times) performing builds/tests. Consider resource/time limits or running it in a sandbox (container/CI runner) rather than directly on your workstation. - Source verification: the registry metadata lacks a verified homepage/source. If you plan to use it, inspect the GitHub repository the README points to (and review the full script) before cloning. Prefer running the script manually in a safe environment first. If you need this capability, proceed after: verifying the repository, adjusting/confirming the install paths, running the script in an isolated sandbox the first time, and confirming the meaning and safety of the '/cancel' and 'delegate' behaviors.

Review Dimensions

Purpose & Capability: noteName/description match the implementation: a persistence loop that saves state and runs verification steps. However there are small incoherences: README suggests a clone path under ~/.claude/skills/... while the SKILL.md uses ~/.openclaw/... — inconsistent install locations/names. README also advertises a GitHub repo for install but the registry reported 'Source: unknown' and no homepage. These discrepancies suggest sloppy packaging or incomplete metadata.
Instruction Scope: concernThe instructions and example script instruct the agent to read/write state under the user's home (~/.openclaw/state/ralph), run commands in the workspace (grep across files), and execute npm test/build if package.json exists. The skill also speaks of 'delegat[ing] to appropriate agents' and 'run long ops in background' — vague instructions that give the agent wide discretion. The script calls a '/cancel' command (unexplained) which may be an action intended to interact with the agent runtime; its behavior is ambiguous. These behaviors are coherent with a developer automation tool but broaden the agent's access to the filesystem and to executing arbitrary project scripts (npm scripts can run arbitrary code).
Install Mechanism: okThis is an instruction-only skill with no install spec or bundled binaries, which is low risk from install mechanics. README suggests cloning a GitHub repo (a normal pattern). No third-party downloads or extract steps are present in the registry metadata.
Credentials: okThe skill declares no required environment variables or credentials. Its requested access (read/write under the user's home and running local build/test commands) is proportionate to a tool that verifies builds/tests in a project. However, lack of declared requirements means the agent will rely on existing system tooling (npm, grep) which may execute project-provided code.
Persistence & Privilege: noteThe skill writes persistent state to ~/.openclaw/state/ralph and suggests creating a script under ~/.openclaw/skills/ralph/ralph.sh (and README suggests an alternate path). always:false (not force-included) so it won't be auto-enabled for all agents, which is appropriate. Still, it will create files under the user's home and may run repeated long-running operations up to 10 iterations; users should be aware of disk/CPU/network implications.