backstage companion
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it is a high-trust admin tool that runs project/global shell checks and syncs remote rules in ways users should review carefully.
Install this only if you fully trust the projects and backstage check repositories it will run. Review update-backstage.sh, checks.sh, and all checks/global and checks/local scripts before use, and be aware that updates can change or delete check files that affect future agent behavior.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or unexpected check file in a project or global checks folder could run arbitrary commands with the user's local permissions.
The script runs every shell file found in global and local check directories, including project-local scripts, with no sandbox or per-script approval.
GLOBAL_CHECKS_DIR="$HOME/Documents/backstage/backstage/checks/global" ... LOCAL_CHECKS_DIR="backstage/checks/local" ... CHECK_OUTPUT=$(bash "$check" 2>&1) ... if bash "$check" >/dev/null 2>&1; then
Use only in repositories and check directories you fully trust; add explicit review/approval of each check script, allowlisting, or sandboxing before execution.
A repository could include markdown rules that push the agent away from the user's intended workflow or safety expectations.
The skill makes local project markdown files authoritative instructions for the agent and says local rules override global ones.
`checks/local/*.md` = Project-specific overrides ... `Enforced by:` AI (reads markdown, interprets context, acts) ... `Local wins on conflict`
Treat local markdown checks as untrusted unless the project is trusted, and require that they cannot override user, system, or safety instructions.
If the upstream repository changes unexpectedly or is compromised, future backstage runs may execute changed check scripts.
The updater pulls the latest unpinned upstream content and copies it into the global checks directory, whose .sh files are later executed by checks.sh.
UPSTREAM="https://github.com/nonlinear/backstage" ... git clone --quiet --depth 1 "$UPSTREAM" "$TMP_DIR/backstage" ... rsync -av --delete "$TMP_DIR/backstage/backstage/checks/global/" "$BACKSTAGE_DIR/checks/global/"
Pin updates to reviewed commits or releases, show full diffs before applying, and verify the source before syncing executable checks.
A user may approve an update believing local check files will be preserved when they may actually be removed.
The update text says removed upstream files will be kept locally, but rsync --delete can delete destination files missing from upstream.
echo " - $file (will be kept locally unless you delete)" ... rsync -av --delete "$TMP_DIR/backstage/backstage/checks/global/" "$BACKSTAGE_DIR/checks/global/"
Either remove --delete or clearly warn that applying updates can delete local files from checks/global, and show the exact deletion list before confirmation.