warn
suspicious.destructive_delete_command
- Location
- MANUAL-INSTALL.md:175
- Finding
- Documentation contains a destructive delete command without an explicit confirmation gate.
3Q-quality-system
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.destructive_delete_command
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A copied or mistyped uninstall command could delete more than intended.
Why it was flagged
The uninstall documentation uses a recursive delete command. It is scoped to the skill's own install path and is user-directed, but destructive shell commands should be checked before use.
Skill content
rm -rf ~/.openclaw/workspace-main/skills/self-challenge-3q-v3.1
Recommendation
Run uninstall commands manually, verify each path, and avoid modifying rm -rf commands unless you are sure of the target.
What this means
Following stale install instructions may fail or lead a user to look for an unreviewed installer outside the provided package.
Why it was flagged
The provided file manifest does not include install.sh or a 3Q-Installation-Pack directory. This looks like stale packaging documentation rather than hidden executable code, but users should not run unreviewed scripts obtained elsewhere.
Skill content
"quickstart": { "steps": [ "npx clawhub@latest install 3q-quality-system", "cd 3Q-Installation-Pack", "./install.sh" ] }Recommendation
Use the documented manual install steps from the reviewed files, and do not run any external install.sh unless you inspect it first.
What this means
The agent may continue seeing and acting on the QualityOS reminder configuration in later sessions.
Why it was flagged
The manual install appends persistent OpenClaw workspace instructions for heartbeat reminders and weekly quality reporting. This is disclosed and purpose-aligned, but it changes ongoing agent behavior.
Skill content
cat >> ~/.openclaw/workspace-main/HEARTBEAT.md ... HEARTBEAT 自动检查 ... 每周生成质量仪表板报告
Recommendation
Back up HEARTBEAT.md before installing and remove the QualityOS block if you no longer want persistent quality reminders.
What this means
Quality dashboards or agent summaries could overstate actual quality metrics if the defaults are not replaced.
Why it was flagged
The install guide creates persistent quality metric values that future reports could treat as real workspace data unless the user understands they are defaults or targets.
Skill content
cat > ~/.openclaw/workspace-main/quality-metrics.json ... "manualTriggerRate": 0.90, "avgScore": 14.0, "sGradeRatio": 0.50
Recommendation
Treat the initial metrics as placeholders and update them with real measurements after installation.