Skillv2.2.0

ClawScan security

Autopilot 自动循环编排引擎 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 6:27 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's overall design matches an autopilot code-orchestration tool, but its runtime instructions omit required credentials and explicitly tell agents to bypass approvals/sandboxes — these contradictions and dangerous flags warrant caution.
Guidance: This skill is plausibly an autopilot for multi-round Plan→Build→Verify workflows, but there are important red flags you should consider before installing: 1) Missing credential declaration: The SKILL.md says 'claude -p requires ANTHROPIC_API_KEY' but the skill metadata does not declare any required env vars. If you provision an API key, you will be sending task text (and potentially code snippets or error logs) to an external LLM service — ensure the key is properly scoped and that you are comfortable sending that data. 2) Dangerous bypass flags: The instructions explicitly use flags like --dangerously-bypass-approvals-and-sandbox and --dangerously-skip-permissions and recommend skipping git checks. These flags will weaken safety controls and may allow the agent to make unrestricted modifications. Prefer to remove/disable any 'dangerously' flags or require manual approval before destructive actions. 3) File-system and code-modification risk: The orchestrator writes into ~/.openclaw/workspace/tasks/... and can modify repository files and run tests. Run this only against disposable/test repositories or after taking backups. Require explicit review/approval steps if you don’t want automated commits applied without human review. 4) Data leakage surface: The tool sends summaries, plans, and possibly error logs to remote models. Review what gets included in spec_plan.md/spec_build.md and avoid embedding full source code or secrets in those files. Consider running in a network-restricted environment if you cannot accept data leaving your environment. 5) Fixes before use: Ask the author to (a) declare required env vars (e.g., ANTHROPIC_API_KEY) in the skill metadata, (b) remove or gate all '--dangerously-*' flags behind an explicit opt-in, and (c) add explicit user-approval steps before writing to or committing changes in the repo. If you proceed, test on a safe sandbox repository and monitor task directories and git diffs closely.

Review Dimensions

Purpose & Capability: noteName/description (plan→build→verify autopilot) match the declared binaries (claude, omx, python3) and the filesystem/git operations described. Requiring claude and omx is coherent for an LLM-driven code orchestrator. However the SKILL.md documents a required ANTHROPIC_API_KEY for 'claude -p' while the skill metadata lists no required env vars — a mismatch between claimed purpose and declared requirements.
Instruction Scope: concernThe SKILL.md instructs the agent to create task directories under the user's home, write task.json/spec files, run claude/omx CLIs with inputs derived from the repo/context, run project test commands (pytest/npm test/etc.), and apply git diffs or directly modify files when the orchestrator 'takes over'. It also repeatedly instructs use of flags that bypass permission/sandboxing (e.g. --dangerously-bypass-approvals-and-sandbox, --dangerously-skip-permissions) and to skip git-repo checks. These are explicit instructions that expand the agent's authority and can cause it to modify arbitrary repository files and send derived context to remote LLM services — both expected for an autopilot but high-risk in practice. Additionally, the skill uses '~' in some path examples although elsewhere forbids '~' shorthand, indicating minor internal inconsistency.
Install Mechanism: okInstruction-only skill with no install spec or code files. This reduces disk/write risks from installation. Required external CLIs (claude, omx, python3) are expected for runtime but not installed by the skill.
Credentials: concernThe runtime text explicitly says 'claude -p requires ANTHROPIC_API_KEY', yet the skill metadata lists no required environment variables or primary credential. This omission is material: the orchestrator will not function without an API key for remote LLM calls, and the skill offers no declaration or guidance for key scoping. The skill also instructs sending plans/build specs (and possibly error summaries/test outputs) to remote models; that may expose repository content or snippets to external services. Requiring no env vars in metadata is inconsistent and hides a necessary secret.
Persistence & Privilege: noteThe skill does not request 'always: true' and is user-invocable; it will create a persistent workspace directory (~/.openclaw/workspace/tasks/...) and write task artifacts. That file I/O and ability to modify code is within the expected scope of an autopilot but combined with the instruction to bypass sandboxing/approvals it increases the potential blast radius. Autonomous invocation is allowed (platform default) — note this increases risk if combined with the other concerns.