skelm
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: skelm Version: 0.3.8 The skelm skill bundle provides a framework for authoring and orchestrating secure, agentic TypeScript workflows. The bundle consists of documentation, scaffolding scripts (new-pipeline.sh), and templates (skelm.config.template.ts) that align with its stated purpose of providing a 'default-deny' permission model for AI agents. While the skill requests broad Bash permissions for package managers and development tools, this is consistent with its role as a workflow engine, and the framework's design emphasizes security boundaries, audit logging, and human-in-the-loop approvals.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad command could modify project files, install packages, run workflows, or change git state.
The skill allows file edits/writes and local CLI commands needed to scaffold, validate, and run skelm projects, but those commands can change the user's working tree and runtime environment.
allowed-tools: Read Edit Write Bash(npm:*) Bash(pnpm:*) Bash(skelm:*) Bash(node:*) Bash(git:*)
Use it in trusted projects, review generated workflow files before running them, and approve local commands intentionally.
If a user grants bash or filesystem access with that backend, an agent may have broader local authority than a path allowlist suggests.
The Pi SDK backend limitation is explicitly disclosed: some backend permissions are category-level rather than strict path/binary enforcement.
granting `bash` lets the agent run any executable. Filesystem paths are advisory: `fsRead`/`fsWrite` unlock the tool *category* but don't constrain paths.
Avoid granting bash unless necessary, prefer bounded ephemeral/container workspaces, and use MCP-host backends when per-call binary or path enforcement is required.
Misconfigured or over-scoped API keys could allow workflows or agent backends to spend quota or access provider/account resources.
Provider credentials and secret resolution are expected for LLM/agent backends, but they are sensitive account authority.
API keys can be inlined (`apiKey: 'sk-...'`) or resolved from env (`apiKey: { secret: 'OPENAI_API_KEY' }`). The runtime resolves the secret at gateway start.Prefer environment-resolved secrets, use least-privilege keys, avoid inlining secrets in config files, and do not print secret values unless absolutely necessary.
Scheduled or gateway-managed workflows may continue running, receiving triggers, or using configured backends until stopped.
The gateway and scheduling behavior are disclosed and central to skelm operations, but they can keep workflows active beyond a single foreground command.
The gateway is a long-running process... Trigger dispatch — receives cron, webhook, interval, and queue triggers; starts runs accordingly.
Run the gateway in the foreground for development, review schedules before enabling them, and use `skelm gateway stop` or uninstall systemd integration when no longer needed.
In an untrusted repository, local context files could steer the agent or expose contextual information to the backend.
Project-local context files can be loaded into an agent backend and may influence agent behavior across a task.
`noContextFiles: false` (default) keeps `AGENTS.md` and `.pi/context/` loaded.
Inspect AGENTS.md and .pi/context files in untrusted projects and disable or constrain context loading where supported.