Code Reputation
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for code caching, but it retrieves and encourages running external cached code, injects provider-supplied prompt text, and writes provider-named files without enough containment.
Install only if you are comfortable sending selected code to Raysurfer and reviewing cached code before running it. Use a sandbox for retrieved code, inspect files before upload, and be cautious until the file-write path handling and untrusted prompt handling are tightened.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A retrieved cache result could overwrite files in locations the user did not intend, if the process has filesystem permission.
Files returned by the external API are written using the API-provided filename without rejecting absolute paths or '..' traversal, so a malicious or compromised response could write outside the intended cache directory.
for f in result.files:
file_path = cache_path / f.filename
file_path.write_text(f.source)Constrain writes to a resolved cache directory, reject absolute paths and parent-directory traversal, avoid overwriting existing files without confirmation, and sanitize filenames from the API.
A poisoned cached result could include instructions that redirect the agent, suppress review, or cause unintended tool use.
The skill prints provider-supplied text explicitly labeled for addition to the LLM prompt, with no artifact guidance to treat it as untrusted data or strip instructions.
print(f"\n--- Add to LLM prompt ---\n{result.add_to_llm_prompt}")Treat retrieved prompt additions as untrusted reference material, quote or delimit them, strip agent-control instructions, and require user approval before following any instructions contained in retrieved cache content.
Cached code could perform unintended local actions if run without inspection, especially if the cache contains stale, unsafe, or malicious code.
The skill encourages running code retrieved from an external cache, but the artifacts do not specify sandboxing, provenance checks, review steps, or containment before execution.
the agent can retrieve and run the cached code instead of regenerating it
Require explicit review before execution, run retrieved code only in a sandbox with limited filesystem and network access, and show provenance and trust metadata for each cached result.
Private source code, credentials accidentally committed in files, or customer data embedded in generated scripts could be uploaded to the provider.
The upload command reads selected local files and sends their contents to the Raysurfer cache, which is expected for the skill but can store sensitive code or embedded secrets if users choose the wrong files.
files_written.append(FileWritten(
path=str(path),
content=path.read_text(),
))Review files before upload, exclude secrets and private data, document cache retention/sharing clearly, and consider adding secret scanning or file-type restrictions.
The skill can act against the user's Raysurfer account using the configured API key.
The skill requires a Raysurfer API key and passes it to the Raysurfer client; this is purpose-aligned and disclosed, with no evidence of unrelated credential use.
api_key = os.environ.get("RAYSURFER_API_KEY")Use a dedicated, least-privilege API key if available, rotate it if exposed, and avoid sharing the environment with untrusted code.
Users may install whatever version of the external package is current at install time, which can change behavior outside this reviewed artifact set.
The helper depends on an external package that is not provided or pinned by an install spec in the supplied artifacts.
from raysurfer import RaySurfer
...
print("Install with: pip install raysurfer", file=sys.stderr)Provide a pinned dependency specification or lockfile, document the trusted package source, and verify the package before installation.