Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
backstage companion
v1.0.4Anti-drift protocol script. Ensures parity between docs and system. Triggers: 'bom dia PROJECT' / 'good morning PROJECT' (load project context with health ch...
⭐ 0· 711·0 current·0 all-time
byNicholas Frota@nonlinear
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (anti-drift, enforce parity, generate diagrams, sync protocol) align with the included scripts and SKILL.md. The included scripts implement deterministic checks, interpretive-reading, roadmap parsing, and an upstream sync — all consistent with the stated purpose. However the skill expects a global checks location ($HOME/Documents/backstage/backstage/checks/global) outside the project repo, which is an elevated design choice that should be justified by the maintainer and is not strictly required by a simple repo-local anti-drift tool.
Instruction Scope
SKILL.md and the scripts instruct the agent to execute all *.sh files found in a global directory ($HOME/Documents/backstage/backstage/checks/global) and run local checks; deterministic checks run automatically (no per-check prompt). The interpretive checks are 'read' by the AI. update-backstage.sh clones an upstream GitHub repo and rsyncs upstream checks into the project's checks/global after prompting. Executing arbitrary shell scripts from a hard-coded path in $HOME and auto-running them is scope expansion: the skill will execute code outside the project and outside explicit per-check consent, which can run arbitrary commands and access local resources.
Install Mechanism
There is no install spec; this is mostly instruction + included shell scripts. The only network action is git clone of https://github.com/nonlinear/backstage performed by update-backstage.sh — a standard release host (GitHub). Cloning and rsyncing from upstream is expected for a sync tool, but because the cloned files are later executed (checks), this network fetch increases risk.
Credentials
The skill declares no required env vars or credentials, which is consistent. However it uses a hard-coded host-path ($HOME/Documents/backstage/backstage/checks/global) and will execute any scripts there. While not a secret, this gives the skill broad file-system reach in the user's home and the ability to run arbitrary code found under that path (including symlinked locations). No credentials are requested, but file execution privilege is effectively high.
Persistence & Privilege
always:false (good). There is no explicit request to modify other skills or system-wide configs. However admin-mode behavior exists: if checks/global is a symlink to upstream, the script reports 'Auto-updates enabled' and may implicitly defer to upstream content; update-backstage.sh will rsync upstream changes into the project's checks/global when the user approves. Combined with autonomous invocation capability (disable-model-invocation: false by default on platform), the ability to fetch and then execute new checks gives the skill considerable runtime influence. The SKILL.md warns users, but the scripts still execute global checks without per-script confirmation.
What to consider before installing
This skill is functionally coherent but carries real risk because it executes shell scripts from a global folder in your home and can fetch and overwrite checks from a GitHub repo. Before installing or enabling it: 1) Inspect the global checks folder (~/Documents/backstage/backstage/checks/global) — ensure you control its contents or remove/rename it if not needed. 2) Audit all included scripts (checks.sh, backstage.sh, update-backstage.sh, parse-roadmap.sh) and any upstream repo you will sync from (https://github.com/nonlinear/backstage). 3) Run it first in a safe environment (container, VM, or throwaway repo) to see what commands run. 4) If you don't want remote updates or arbitrary code execution, do not symlink checks/global to an upstream repo and avoid running 'update-backstage'. 5) Consider limiting agent autonomy (require user confirmation for actions) or forbidding automated triggers that run these scripts. If you want, provide the upstream repo contents or a sample global checks directory and I can review them for dangerous commands (network exfiltration, credential access, privileged file operations).Like a lobster shell, security has layers — review code before you run it.
latestvk976pj35ttkgrkeh85bc0p7z5n81vvyvstablevk9733041wthj50cxytf0h4e7998150xa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.