Skillv1.9.72

ClawScan security

Wip Ai Devops Toolbox Private · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 9:27 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: This is a large, coherent DevOps toolbox that mostly matches its description, but it installs persistent hooks, schedules privileged tasks, and can push private repos to public mirrors while failing to declare the credentials/privileges it will need — review before installing.
Guidance: What to check before installing: - Confirm package provenance: look up @wipcomputer/wip-ai-devops-toolbox on npm and the referenced GitHub repo; verify the package owner and tarball signature and that the code on npm matches the visible source. - Inspect the install actions: run the recommended dry-run (ldm install --dry-run) and carefully review the exact file writes and config edits it will perform (especially changes to ~/.claude/settings.json, ~/.openclaw/extensions/, ~/.ldm/, and cron jobs). - Do not grant Full Disk Access, cron scheduling, or add hooks until you have reviewed scripts that will run under those privileges. Run the tools inside an isolated environment (VM or throwaway machine) first. - Audit deploy-public.sh and any 'private-to-public sync' automation to ensure it excludes sensitive folders/ai/ and will not leak secrets or private data; run those scripts with --dry-run and inspect the planned diffs. - Expect to need GitHub and npm credentials (GH_TOKEN, NPM_TOKEN, or scoped deploy tokens) for releases; do not provide broad personal tokens — prefer least-privilege machine/service accounts and ephemeral scopes. - Review hooks and guard scripts (guard.mjs, wip-file-guard, wip-branch-guard) for exact behavior and failure modes (are they read-only when not configured?). - If you want to proceed, first test in a sandboxed repo or VM, use least-privilege tokens, keep backups, and only enable automated agent-driven operations after you validate dry-runs and logs. Confidence note: medium. The package appears internally coherent for its declared DevOps role, but the absence of declared credentials and the amount of persistent system modification are significant red flags that require manual review of code and provenance before trusting or installing.

Review Dimensions

Purpose & Capability: noteThe name, description, declared required binaries (git, npm, gh, node), and the npm install of @wipcomputer/wip-ai-devops-toolbox align with a DevOps toolbox. The package contains many tools (release pipeline, license guards, repo guards, hooks) so the large footprint is consistent with the stated purpose. One inconsistency: the toolbox contains features that publish to npm and GitHub (wip-release, deploy-public.sh) but the skill does not declare required credentials (GH/NPM tokens) in its metadata.
Instruction Scope: concernSKILL.md and the repo docs explicitly instruct the agent to edit user configuration files (e.g., add hooks to ~/.claude/settings.json), copy plugin files to ~/.openclaw/extensions/, install binaries into ~/.ldm/, schedule cronjobs, and suggest granting macOS Full Disk Access to an app. It also supports a private→public sync (deploy-public.sh) that can transfer repository content out of a private workspace. While these actions fit a devops tool's remit, they involve broad system changes and potential exfiltration paths; the instructions demand persistent writes and privileged configuration edits rather than limiting themselves to read-only or advisory guidance.
Install Mechanism: noteThe installer is an npm package (@wipcomputer/wip-ai-devops-toolbox) — a typical and expected delivery for Node-based tools. This is medium-risk (public registry package) but not the highest-risk pattern (no unknown download URL or archive extraction). Because the source/registry metadata shown to the platform is 'unknown' and homepage is empty in the registry metadata (even though SKILL.md references a GitHub URL), you should confirm the npm package identity and provenance (owner, tarball integrity) before installing globally.
Credentials: concernThe toolbox performs operations that require credentials (gh CLI for PRs/releases, npm publish, possible GitHub API calls, and scanning/fixing repos). However, requires.env declares no credentials and primaryEnv is none. That mismatch is important: the tool will prompt or attempt actions that need GH_TOKEN, NPM_TOKEN, or scoped deploy tokens, but those are not surfaced in the skill metadata. Additionally, instructions propose granting Full Disk Access and scheduling scripts that read ~/.openclaw, ~/.claude, and workspace files — powerful capabilities that should be explicitly disclosed and limited.
Persistence & Privilege: concernThe skill is not 'always: true' (good), but its intended install writes persistent hooks into user settings, installs binaries and MCP/OpenClaw plugins, schedules cron jobs, and suggests a macOS app with Full Disk Access. That grants long-lived capabilities to run on every session boot or via cron. These behaviors are coherent with a toolbox that must enforce guards and run audits, but they increase the blast radius and deserve cautious review before granting.