Rafter Security
ReviewAudited by ClawScan on May 12, 2026.
Overview
This looks like a coherent security helper, but it delegates trust to the external Rafter CLI, which can add command-checking hooks and optionally use a Rafter API key for remote scans.
This skill appears safe to use if you already trust Rafter. Before installing, obtain the `rafter` CLI from the official source, set `RAFTER_API_KEY` only when remote scans are needed, prefer specific integration flags over `--all`, and remember that initialization may persistently add hooks that inspect future shell commands.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong or compromised `rafter` binary would control the actual scanning and hook behavior.
The skill depends on an external CLI that is not included in the reviewed artifacts, so the runtime behavior and provenance of that binary cannot be verified from this submission.
Source: unknown ... Required binaries (all must exist): rafter ... No install spec — this is an instruction-only skill.
Install the Rafter CLI only from the official source, verify the version and publisher, and review Rafter's own documentation before enabling integrations.
After initialization, shell commands may be inspected, blocked, approved, or logged by Rafter, and `rafter agent exec` may run commands rather than only analyze them.
The skill documents commands that can install command-validation hooks and route shell commands through Rafter. This is central to the security purpose, but it is broad authority over command execution.
rafter agent init --all ... When `rafter agent init` has been run, all shell commands are validated automatically ... rafter agent exec <command>
Use specific `--with-*` integrations instead of `--all` unless you want broad coverage, and use dry-run/classification mode when you only want a risk assessment before execution.
Anyone with access to the key may be able to use the associated Rafter account or quota.
The skill declares an optional provider API key for remote scanning. This is expected for the stated service, but it is still a sensitive credential.
Env var declarations: RAFTER_API_KEY (optional) - API key for `rafter run` (remote SAST + SCA + agentic deep-dive).
Set `RAFTER_API_KEY` only when you need remote scans, keep it out of logs and shared files, and rotate it if it may have been exposed.
Code or repository metadata selected for remote scanning may leave the local environment.
The artifacts disclose an optional remote scan path and distinguish it from the local secrets-only scan. No hidden upload is shown, but remote scans may involve sending code or scan data to Rafter.
Provides `rafter run` (remote SAST + SCA, needs RAFTER_API_KEY) ... Without it, `rafter secrets` (local secrets scan) still works.
Use local `rafter secrets` for strictly local checks, and run remote scans only on repositories you are allowed to submit to Rafter.