Aceforge
Security checks across malware telemetry and agentic risk
Overview
AceForge is purpose-aligned but powerful: it continuously records agent activity, can change persistent skills, and has a validation fail-open path that users should review before installing.
Install only if you want a persistent, code-running skill lifecycle engine. Start with ACEFORGE_DRY_RUN=true, avoid sensitive workspaces at first, review generated skill diffs before approval, keep shared-skill propagation off unless needed, and verify provider tokens, notification channels, and validation behavior.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it may cause sensitive agent activity to be stored and reused across sessions to create or revise skills.
This shows broad persistent capture of agent operational data, which can include private files, command output, secrets in tool arguments, or user corrections, and can later influence generated skills.
Every tool call your agent makes is logged with full context: arguments, results, success/failure, session identifier, timing, and duration.
Start in dry-run mode, inspect the .forge directory, avoid running it on sensitive workspaces until redaction/scope controls are clear, and review generated skills before approval.
Private task details may be included in prompts sent to the configured generator/reviewer providers.
The skill’s LLM generation pipeline can send trace-derived content to configured external model providers; this is purpose-aligned but may expose sensitive operational context.
Generator ... writes the SKILL.md from real trace data — actual arguments, actual failures, actual corrections.
Use trusted providers, avoid sending sensitive traces, and check whether provider logging/retention settings match your privacy needs.
Future agent behavior can change automatically based on corrections, even when no full skill approval occurred.
The skill can persistently modify agent instructions without a per-change approval step, which weakens the otherwise stated human-approval boundary.
Bounded exception: Correction-driven micro-revisions (anti-pattern appends, instruction notes) self-apply without approval.
Require review for all persistent skill edits where possible, monitor diffs, and use dry-run mode until comfortable with the auto-adjust behavior.
A proposed skill could become active without the advertised validator running if the import fails or is unavailable.
The approval/deploy helper can proceed if the security validator cannot be imported, creating a fail-open deployment path for generated skills.
catch { /* validator import failed — deploy anyway */ }Change validation to fail closed, block deployment on validator errors, and surface a clear error to the user.
If command inputs are not safely constrained elsewhere, health checks could execute unintended shell content.
The skill uses shell execution for health checks; this is related to validating skills, but shell interpolation should be tightly bounded.
const result = execSync(`which ${command} 2>/dev/null`, { encoding: "utf-8", timeout: 3000 }).trim();Avoid shell interpolation for command checks, use safe spawn/execFile APIs, and validate command names against an allowlist.
Users may need to provide API keys or webhooks that let AceForge call external services or send notifications.
The skill supports optional provider and notification credentials; these are coherent with LLM generation and notifications, but registry metadata declares no credentials.
ACEFORGE_GENERATOR_API_KEY= ... ACEFORGE_REVIEWER_API_KEY= ... ACEFORGE_TELEGRAM_BOT_TOKEN= ... ACEFORGE_SLACK_WEBHOOK_URL=
Use least-privilege tokens, rotate them if exposed, and verify which providers/channels are enabled before running.
An approved but flawed skill could affect more than one agent if shared skills are enabled.
Optional shared-skill propagation is disclosed and user-controlled, but it can spread a bad generated skill to multiple agents on the machine.
When true, approved skills are ALSO copied to ~/.openclaw/skills/ (visible to ALL agents on the same machine).
Leave shared skills disabled unless needed, and only share skills after inspecting their contents and testing them in a limited workspace.
The skill is not merely documentation; installing it can start plugin services that observe and modify agent state.
The artifact contains executable OpenClaw plugin code that registers a startup service, despite the install section saying there is no install spec; this appears intended, but users should treat it as a code-running plugin.
register(api) { ... api.registerService({ id: "aceforge-startup", start: async () => {Review the plugin package and runtime permissions before installing, especially because registry requirements do not declare binaries, env vars, or credentials.