Skillv1.0.0

ClawScan security

Codex Conductor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions mostly match its described orchestrator purpose, but there are important mismatches and omissions (notably undeclared required CLIs and implied access to test accounts / browser tooling) that you should verify before installing.
Guidance: This orchestrator appears to do what it says, but double-check these before installing or running it: - Required CLIs: The code expects coding-agent CLIs (codex, claude, opencode, pi) and uses an OpenClaw CLI wake command, yet the skill metadata lists no required binaries. Ensure those CLIs are present and that you understand where they send data (local agent vs cloud service). - Secrets/test accounts: The orchestrator's manual/browser checks and some test templates assume test user accounts or service credentials. Do not run this on a host containing production secrets. Prepare isolated test accounts / sandbox environments. - Prompt leakage: Prompts and specs (including code) are passed to external CLIs. If those CLIs call cloud APIs, they may transmit your project content. Avoid including sensitive data in specs/prompts or verify CLI privacy policies. - Subprocess execution: agent_exec.py invokes external binaries via subprocess.run with prompt text; review and control what prompt files will contain to avoid unintentionally executing arbitrary commands or exposing secrets. - Run in a safe environment: Initially run the orchestrator against an empty or isolated test repo so you can observe file writes (.orchestrator, docs/) and external calls. Inspect scripts (agent_exec.py, run_gate.py) in full before use. If you need higher confidence, ask the skill author (or the publisher) to update metadata to declare required binaries and explain expected credentials, or request an explicit README that documents where prompts are sent and what runtime privileges are required.

Review Dimensions

Purpose & Capability: concernThe skill describes an orchestrator that dispatches coding agents (codex, claude, opencode, pi) and performs verification. The included scripts (agent_exec.py, generate_gate_prompt.py, references/codex-runbook.md) explicitly invoke those CLIs and expect an OpenClaw CLI wake command. However the skill metadata declares no required binaries or credentials. That omission is inconsistent: a legitimate user will need those agent CLIs, and possibly an openclaw CLI and browser automation tooling, for the orchestrator to work.
Instruction Scope: noteSKILL.md and the references direct the agent to generate prompts, launch external coding-agent CLIs, run manual browser and CLI checks, update project docs, and update .orchestrator status. This is coherent with an orchestrator: the instructions stay within the stated delivery orchestration purpose. A noteworthy runtime behavior: the orchestrator itself is expected to perform 'manual verification' (run CLI commands and browser checks) which implies the runtime environment must have access to web browsers, test accounts, and possibly credentials; the skill does not document those requirements. Also agent_exec.py will pass large prompt text to external CLI binaries — prompts may contain specs and code, which could be sent to remote cloud services depending on the CLI implementation.
Install Mechanism: okThere is no external install spec (instruction-only installation) and all code is contained in the package. This is lower risk than remote downloads. The package includes multiple scripts and references; nothing in the repo indicates it will automatically fetch or execute arbitrary remote code during install.
Credentials: concernThe skill requests no environment variables or credentials in metadata, yet its runtime requires external coding-agent CLIs and likely test credentials for manual checks. It may rely on credentials/config that exist elsewhere on the host (CLI auth tokens for codex/claude/pi, test user accounts, service API keys). Those are not declared or scoped. Also prompts and specs (including code) will be fed to external CLIs; if those CLIs forward data to cloud services, sensitive project data could be exposed. The lack of declared binaries/credentials in metadata is a proportionality mismatch.
Persistence & Privilege: okThe skill writes and manages project-local artifacts (docs/*, .orchestrator/status.json and context.json) within the project directory, which is coherent with its purpose. It does not request always:true or claim system-wide modifications. It does spawn external CLIs and writes changelogs/status locally, which is expected behavior for an orchestrator.