Skillv1.9.72

ClawScan security

Wip Repos · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 9:26 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, install spec, and runtime instructions are consistent with a repo-manifest reconciler: it requires node+git, installs an npm package that provides the CLI and MCP server, and its code reads/writes repo files and the manifest as expected.
Guidance: This skill appears to do exactly what it says: compare a repos-manifest.json to a directory tree and move/update repos/files to match. Before installing or running it: 1) Inspect your repos-manifest.json and ensure it only references intended paths. 2) Always run wip-repos sync with --dry-run first to preview moves. 3) Limit the directories you pass as manifestPath and reposRoot (avoid running against / or other sensitive roots). 4) Be aware the tool can create/update files in repos (CLAUDE.md, LICENSE, .license-guard.json, etc.) — review 'fix' behaviors in a test environment. 5) If you do not want remote/agent callers to change your filesystem, do not start the MCP server or only run it in a trusted environment. Finally, if you want extra assurance, review the remainder of the compliance/fix functions (the provided core.mjs excerpt was truncated) to confirm no unexpected network calls or exfiltration behaviors are present.

Review Dimensions

Purpose & Capability: okName/description, required binaries (node, git), npm install of @wipcomputer/wip-repos, and the included code (core.mjs, cli.mjs, claude.mjs, mcp-server.mjs) all align with a tool that compares a repos-manifest.json to a repo tree and performs moves/edits. Nothing requested is unrelated to repo-manifest reconciliation.
Instruction Scope: noteSKILL.md and the code instruct the agent to walk the filesystem, read package.json and .git/config, compare to the manifest, update the manifest, move directories (renameSync), and create/update files (e.g., CLAUDE.md, compliance files). This is consistent with the stated purpose but does grant the skill the ability to modify repo files and move directories under the provided reposRoot/manifestPath. Review and run with --dry-run first and ensure manifestPath/reposRoot point only at intended directories.
Install Mechanism: okInstall is an npm package (@wipcomputer/wip-repos) which provides the 'wip-repos' binary. This is a normal, expected install mechanism for a Node CLI. package.json dependency on @modelcontextprotocol/sdk is expected for the included mcp-server. There are no arbitrary URL downloads or extract-from-URL steps.
Credentials: okThe skill requests no environment variables or credentials. It reads local filesystem items (manifest, .git/config, package.json, LICENSE, etc.) which are necessary for its purpose. No unrelated secrets or external credentials are requested.
Persistence & Privilege: notealways:false (normal). disable-model-invocation:false (normal for skills). The included mcp-server exposes the toolset via the Model Context Protocol SDK, which enables agent/LLM callers to invoke these operations; this is expected but increases blast radius if callers can supply arbitrary manifestPath/reposRoot. The skill does write/modify repository files and the manifest — appropriate for its purpose but high-impact if misused.