Skillv1.0.0

ClawScan security

rpm-ostree Toolkit — Fedora Atomic / Bazzite Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 9:12 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required binaries, and actions are coherent with an rpm-ostree management tool; no unexplained credentials, installs, or hidden behavior were found, though it assumes the agent will run privileged system commands and uses some utilities not listed in the declared requirements.
Guidance: This skill appears to do what it says: manage rpm-ostree on immutable Fedora/Bazzite systems. Before using it, be aware: (1) many commands require root/wheel and will change the OS image and require a reboot; (2) the SKILL.md runs common utilities (python3, systemctl, journalctl, grep, head, tail) that are not listed as required — ensure they exist in your environment; (3) commands like 'rpm-ostree install <url>' or rebases that reference container registries will fetch and install remote artifacts — only use trusted URLs/registries; (4) consider running sensitive operations manually rather than allowing autonomous invocation, test in a VM or backup important data, and review any remote RPM or remote ostree source before applying.

Review Dimensions

Purpose & Capability: noteThe name/description align with the instructions: all commands are rpm-ostree/system-management operations appropriate for Fedora Silverblue/Bazzite. Minor mismatch: SKILL.md invokes other common system utilities (python3, systemctl, journalctl, grep, head, tail) but the registry metadata only declares rpm-ostree and ostree. These are common on Linux systems but the skill should ideally declare them as dependencies.
Instruction Scope: okAll instructions stay within the expected scope of immutable-OS management: status, install/uninstall, rebase, rollback, cleanup, and troubleshooting. The guide includes installing RPMs from URLs and rebases to container-backed ostree remotes (e.g. ghcr.io), which is expected for this domain. There are no instructions to read unrelated user files or environment variables.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill bundle itself. That is the lowest-risk install mechanism.
Credentials: okThe skill requests no environment variables or credentials. It does require root/wheel privileges for the operations it documents, which is proportional to the task of modifying system deployments.
Persistence & Privilege: notealways:false (no forced inclusion). However, the skill's runtime instructions perform privileged system operations (rpm-ostree, systemctl, journalctl). Because model invocation is allowed by default, an agent could autonomously run these commands if permitted; this is expected for system-management skills but users should be aware of the potential impact of autonomous actions.