Rune
WarnAudited by ClawScan on May 17, 2026.
Overview
Rune appears to be a broad coding-agent orchestrator, not just a red-team review skill, and it includes broad workflow-control, persistence, command/API usage, and flagged credential examples that users should review carefully.
Before installing, treat Rune as a broad coding-agent framework rather than a single red-team skill. Verify the source/package, inspect flagged extension files for real credentials, disable subskills you do not need, approve shell/API/deploy-related actions manually, and review generated .rune/ or project memory files before committing them.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting only plan red-team analysis may install a much broader coding-agent mesh.
The visible listing description is much narrower than the installed package documentation, which describes a broad coding workflow orchestrator with deployment and parallel-work capabilities.
metadata Description: "Performs adversarial red-team analysis..."; SKILL.md: "**64-skill mesh** ... Use `rune:cook` for any code task, `rune:team` for parallel work, `rune:launch` for deploy."
Install only if you want the broad Rune coding orchestrator; otherwise use or enable only the specific subskills you need.
The agent may steer ordinary coding questions through Rune's own workflow and subskill routing even when the user did not ask for that overhead.
This instruction makes Rune's routing workflow authoritative for any code response when the skill is active, rather than only for an explicit narrow request.
> **RUNE COMPLIANCE**: Before ANY code response, you MUST: ... Route through the correct Rune skill ... do NOT freelance or skip steps
Use this skill only when you want Rune to orchestrate coding tasks; consider disabling unwanted subskills or removing broad compliance language in local copies.
Hardcoded or copy-pasted access tokens can leak account access or teach unsafe credential handling patterns.
The static scan redacted what it identified as a literal OAuth/access token in an extension file, while the skill metadata declares no primary credential or required environment variables.
oa_access_token: [REDACTED],
Publisher should remove and rotate any real tokens; users should inspect this file before use and avoid committing or copying token literals.
The agent may access repository metadata through local tools or authenticated GitHub configuration.
The autopsy workflow uses local CLI/API commands and may rely on a GitHub token. These commands are coherent for repository health analysis, but they should be user-approved.
gh api repos/{owner}/{repo} --jq ... # Fetch via GitHub API (requires gh CLI or curl + GITHUB_TOKEN)Confirm the target repository and approve command/API use, especially when private repositories or privileged GitHub tokens are involved.
Sensitive project decisions or incorrect instructions could persist in project files and influence later agent behavior.
The skill intentionally creates persistent project context that future sessions may read and trust.
MUST: Before summarizing/compacting context, save important decisions and progress to project files. SHOULD: Before ending, save architectural decisions and progress to .rune/ directory for future sessions.
Review .rune/ and related generated files periodically, and keep sensitive notes out of public repositories.
Running the npm initializer may execute code from a package source outside the ClawHub install path.
The skill suggests a user-directed npm initializer even though the install spec says there is no install mechanism. This is not automatic execution, but it is a provenance and review point.
Or via npm: npx @rune-kit/rune init
Prefer the reviewed ClawHub install path, or verify the npm package, version, and GitHub source before running npx.