Back to skill
Skillv1.9.72
ClawScan security
Wip Release · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 21, 2026, 9:26 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement a legitimate one-command release pipeline, but there are inconsistencies between the declared metadata and the runtime instructions (notably undeclared secrets/paths) and a few instruction steps that warrant caution (running deploy scripts in another repo, broad git/npm/gh operations).
- Guidance
- This package implements a powerful, repository-changing release pipeline and requires credentials to publish (npm token, 1Password SA token, and authenticated gh). Before installing: 1) Verify the registry metadata vs SKILL.md — confirm which secrets and binaries the package will actually need and that you are comfortable providing them. 2) Inspect deploy scripts in any website repo referenced by .publish-skill.json or WIP_WEBSITE_REPO; the tool will run that repo's deploy.sh, which can execute arbitrary code. 3) Test locally with --dry-run and --no-publish to observe file changes without pushing/publishing. 4) Ensure 1Password/gh/npm credentials are scoped minimally (use a publish-only npm token and limited 1Password SA permissions). 5) Consider forking the project and reviewing code (or pinning to a commit) if you will grant tokens. The primary issues here are metadata/requirements mismatches and the pipeline's ability to run external deploy scripts — both are explainable but worth addressing before trusting the tool in an automated agent environment.
Review Dimensions
- Purpose & Capability
- noteThe code and SKILL.md implement exactly what the name/description claim: bumping package.json, updating SKILL.md and CHANGELOG.md, committing/tagging, pushing, publishing to npm/GitHub, and optionally copying SKILL.md to a website and running deploy.sh. That behavior justifies requiring git, npm, gh, and op. However, the SKILL.md metadata also lists 'clawhub' and explicit 1Password/npm secret requirements that are not reflected in the registry-level requirements shown at the top of the package metadata — an inconsistency that should be resolved before trusting the package.
- Instruction Scope
- concernRuntime instructions and the included code perform wide-scoped repository modifications: writing package.json/CHANGELOG.md/SKILL.md, renaming/moving RELEASE-NOTES files to _trash, staging many paths, committing with --no-verify, tagging, pushing, and running npm publish (via 1Password). The SKILL.md additionally instructs copying SKILL.md into an external website repo and running that repo's deploy.sh, which will execute arbitrary code from another repository. These are coherent with a release tool but are powerful operations that can mutate many files and run external scripts — test thoroughly with --dry-run and --no-publish and inspect target deploy scripts before enabling.
- Install Mechanism
- okInstall is via npm package @wipcomputer/wip-release and the package.json and code files are present. This is a standard mechanism for a JS CLI; no remote ad-hoc archive downloads or obscure URLs were used in the install spec. Dependency on @modelcontextprotocol/sdk is expected for the MCP server component.
- Credentials
- concernThe SKILL.md explicitly requires a 1Password service-account token at ~/.openclaw/secrets/op-sa-token and an 'npm Token' in an 'Agent Secrets' vault (to fetch npm auth via op), plus gh and possibly clawhub credentials. Yet the registry metadata shown earlier lists no required env vars/config paths or primary credential. Requesting direct access to an npm publish token and a 1Password SA token is proportionate to the stated goal (it needs to publish), but the omission in the metadata is a red flag: verify what secrets the installed package will actually read and ensure the registry entry accurately declares those requirements before installing.
- Persistence & Privilege
- okThe skill does not request 'always: true'. It exposes an MCP server tool for release automation (mcp-server.mjs), which is consistent with providing a programmatic interface. disable-model-invocation is false (normal). The skill does not appear to modify other skills' configurations; it performs repository-local changes only.