ClawHub
Back to skill
v1.0.4

backstage companion

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:39 AM.

Analysis

This appears to be a transparent admin workflow tool, but it can run arbitrary project/global shell checks and update those checks from an unpinned GitHub source, so it needs careful review before use.

GuidanceInstall or run this only if you trust the project repository, the global checks directory, and the GitHub upstream. Review the shell scripts and markdown checks first, pin or review remote updates, and be aware that the update script may delete local global-check files despite messaging that says removed upstream files will be kept.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
checks.sh
GLOBAL_CHECKS_DIR="$HOME/Documents/backstage/backstage/checks/global"
LOCAL_CHECKS_DIR="backstage/checks/local"
...
CHECK_OUTPUT=$(bash "$check" 2>&1)
...
if bash "$check" >/dev/null 2>&1; then

The checker discovers and executes all matching shell scripts from both a global user directory and the current project's local checks directory. That is broad local code execution with the user's privileges and no per-script approval.

User impactA malicious or compromised check script in a project or global checks folder could alter files, run commands, or access local data during a normal backstage run.
RecommendationUse this only with trusted repositories and trusted global check sources. Inspect all .sh checks before running, and consider adding an explicit approval or allowlist for executable checks.
Agentic Supply Chain Vulnerabilities
SeverityHighConfidenceHighStatusConcern
update-backstage.sh
UPSTREAM="https://github.com/nonlinear/backstage"
...
git clone --quiet --depth 1 "$UPSTREAM" "$TMP_DIR/backstage"
...
rsync -av --delete "$TMP_DIR/backstage/backstage/checks/global/" "$BACKSTAGE_DIR/checks/global/"

The update flow clones the latest default-branch content from GitHub without pinning a commit, tag, checksum, or signature, then syncs it into the checks/global directory that other scripts later execute.

User impactIf the upstream repository changes unexpectedly or is compromised, future backstage runs could execute newly synced shell checks.
RecommendationPin updates to reviewed releases or commits, verify signatures/checksums where possible, and review diffs before applying updates.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
update-backstage.sh
echo "  - $file (will be kept locally unless you delete)"
...
rsync -av --delete "$TMP_DIR/backstage/backstage/checks/global/" "$BACKSTAGE_DIR/checks/global/"

The update message tells users removed upstream files will be kept locally, but the later rsync command uses --delete, which removes destination files absent from the source.

User impactA user may approve an update believing local global-check files will remain, while the script can delete them during sync.
RecommendationFix the update messaging or remove --delete. Show an accurate deletion plan and require explicit confirmation before deleting local files.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
`checks/local/*.md` = Project-specific overrides
- **Enforced by:** AI (reads markdown, interprets context, acts)
...
**Polycentric governance:**
- Global + local rules coexist
- Local wins on conflict

The skill intentionally turns local and global markdown files into agent-enforced policy, with local project files able to override global rules.

User impactProject-local markdown can influence how the agent behaves. This is useful for trusted projects but risky in untrusted repositories.
RecommendationOnly allow trusted markdown checks to define agent behavior, and inspect local checks before letting the agent enforce them.