ClawHub
Back to skill
v1.0.0

STX Copilot

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

STX Copilot is a coherent instruction-only IBM ITX/WTX reference skill with no code or credentials, though it documents admin and debugging commands that should be used carefully.

GuidanceThis appears safe to install as a reference skill. Before letting it help with shell commands or administration, confirm the exact IBM ITX/ACE environment and get explicit approval. Be especially careful with trace and data-dump settings because they may log sensitive financial or customer data.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
references/execution.md
launcheradmin.sh -auto ... launcheradmin.sh -addir /deployments/maps ... launcheradmin.sh -start MapSystemName ... launcheradmin.sh -stop MapSystemName

These are operational ITX Launcher commands that can change service mode, deployment directories, and map system state. They are documented as reference examples and are aligned with the deployment/debugging purpose, not automatic behavior.

User impactIf a user asks the agent to run these commands, they could start, stop, or reconfigure ITX runtime components.
RecommendationOnly run administrative commands after confirming the target environment, expected impact, and rollback plan.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/execution.md
launcheradmin.sh -adduser user:admin;login:admin;pwd:secret

The reference includes an example for creating an administrative Launcher user with credentials. This is purpose-aligned for ITX administration, but it touches privileged account configuration.

User impactMisuse could create overly privileged accounts or expose credentials in command history or logs.
RecommendationUse least-privilege accounts, avoid placeholder passwords, and do not paste real secrets into shared chat or logs.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
references/debugging.md
export WTX_DUMP_DATA=true
# Capture input data passed to the map in wtxlogger output

The debugging guidance can persist full map input payloads in logs. In the stated financial-message transformation context, those payloads may include sensitive payment or customer data.

User impactDebug logs could retain sensitive message contents if tracing or data dumping is enabled.
RecommendationEnable data dumps only temporarily, restrict log access, scrub sensitive values, and apply retention/deletion controls.