skelm
PassAudited by ClawScan on May 7, 2026.
Overview
The artifacts are coherent for a skelm workflow helper, but the skill intentionally enables powerful local workflow, agent, credential, and gateway operations.
Install this only if you intend to use skelm to build or operate agentic workflows. Review generated TypeScript before running it, keep gateway access local or protected with bearer auth for remote use, grant agent permissions narrowly, avoid broad bash/filesystem/network access, and protect any provider API keys or skelm secrets.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad command could modify project files, install packages, run workflows, or change git state.
The skill allows file edits/writes and local CLI commands needed to scaffold, validate, and run skelm projects, but those commands can change the user's working tree and runtime environment.
allowed-tools: Read Edit Write Bash(npm:*) Bash(pnpm:*) Bash(skelm:*) Bash(node:*) Bash(git:*)
Use it in trusted projects, review generated workflow files before running them, and approve local commands intentionally.
If a user grants bash or filesystem access with that backend, an agent may have broader local authority than a path allowlist suggests.
The Pi SDK backend limitation is explicitly disclosed: some backend permissions are category-level rather than strict path/binary enforcement.
granting `bash` lets the agent run any executable. Filesystem paths are advisory: `fsRead`/`fsWrite` unlock the tool *category* but don't constrain paths.
Avoid granting bash unless necessary, prefer bounded ephemeral/container workspaces, and use MCP-host backends when per-call binary or path enforcement is required.
Misconfigured or over-scoped API keys could allow workflows or agent backends to spend quota or access provider/account resources.
Provider credentials and secret resolution are expected for LLM/agent backends, but they are sensitive account authority.
API keys can be inlined (`apiKey: 'sk-...'`) or resolved from env (`apiKey: { secret: 'OPENAI_API_KEY' }`). The runtime resolves the secret at gateway start.Prefer environment-resolved secrets, use least-privilege keys, avoid inlining secrets in config files, and do not print secret values unless absolutely necessary.
Scheduled or gateway-managed workflows may continue running, receiving triggers, or using configured backends until stopped.
The gateway and scheduling behavior are disclosed and central to skelm operations, but they can keep workflows active beyond a single foreground command.
The gateway is a long-running process... Trigger dispatch — receives cron, webhook, interval, and queue triggers; starts runs accordingly.
Run the gateway in the foreground for development, review schedules before enabling them, and use `skelm gateway stop` or uninstall systemd integration when no longer needed.
In an untrusted repository, local context files could steer the agent or expose contextual information to the backend.
Project-local context files can be loaded into an agent backend and may influence agent behavior across a task.
`noContextFiles: false` (default) keeps `AGENTS.md` and `.pi/context/` loaded.
Inspect AGENTS.md and .pi/context files in untrusted projects and disable or constrain context loading where supported.