ClawHub

Artifact Contract Auditor

v1.0.0

Audit the workspace against the pipeline artifact contract (DONE outputs + pipeline target_artifacts). Writes `output/CONTRACT_REPORT.md`. **Trigger**: contr...

0· 143·1 current·1 all-time
by@willoscar

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for willoscar/artifact-contract-auditor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Artifact Contract Auditor" (willoscar/artifact-contract-auditor) from ClawHub.
Skill page: https://clawhub.ai/willoscar/artifact-contract-auditor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install artifact-contract-auditor

ClawHub CLI

Package manager switcher

npx clawhub@latest install artifact-contract-auditor
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match behavior: the script reads UNITS.csv and PIPELINE.lock.md, resolves a pipeline spec, checks for missing DONE outputs and pipeline target artifacts, and writes output/CONTRACT_REPORT.md. Declared requirements (python3/python) align with the provided Python scripts and modules. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
SKILL.md restricts the skill to analysis-only and no network; the implementation matches that (reads workspace files and repo pipeline specs, writes the report and quality gate). One thing to note: the script resolves the pipeline path from the workspace's PIPELINE.lock.md and then uses Path(...).resolve() to load that file. If PIPELINE.lock.md points to an absolute path, the auditor will attempt to load that path — i.e., it will read whatever file path is specified. This is coherent for legitimate pipeline use, but it means the auditor can be directed to read arbitrary local files if the workspace's PIPELINE.lock.md is manipulated.
Install Mechanism
No install spec (instruction-only) and bundled Python code is executed directly; no downloads or external installers are used. This is the lowest-risk install model for bundled code, assuming the user trusts the packaged files.
Credentials
The skill requests no environment variables or credentials. It only reads local workspace files and bundled pipeline specs. No secrets/external tokens are required or declared.
Persistence & Privilege
always:false and normal model-invocation settings. The skill writes only workspace-local report files (output/CONTRACT_REPORT.md and may update output/QUALITY_GATE.md via the quality_gate helper). It does not modify other skills or global agent configuration.
Assessment
This skill appears to do exactly what it says: offline auditing of UNITS.csv and pipeline target_artifacts and writing output/CONTRACT_REPORT.md. Before running it, inspect the workspace's PIPELINE.lock.md (it controls which pipeline spec path is loaded) and ensure it doesn't point to unexpected absolute paths you don't want the auditor to read. Run the script in an isolated or non-sensitive workspace if you are worried about accidental disclosure of local files. If you need stronger guarantees, review the bundled tooling/*.py files (they are included) or run the script under a restricted user account or container.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Any binpython3, python
latestvk97d7v7r72sbknz63qebt7ve898361vv
143downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@willoscar
latest
Download

Artifact Contract Auditor

Purpose: make each workspace auditable and shareable.

This skill checks two contracts:

  1. Units contract: if a unit is marked DONE, its required outputs must exist.
  2. Pipeline contract: the pipeline’s target_artifacts (from the pipeline spec referenced by PIPELINE.lock.md) should exist for a complete run.

It always writes a report so workspaces can serve as regression baselines.

Inputs

  • UNITS.csv
  • PIPELINE.lock.md
  • Pipeline spec referenced by PIPELINE.lock.md (under pipelines/*.pipeline.md; reads YAML target_artifacts)

Outputs

  • output/CONTRACT_REPORT.md

Workflow (analysis-only)

  1. Read UNITS.csv and validate DONE outputs
  • For every unit with status=DONE, verify each required output exists.
  • Outputs prefixed with ? are treated as optional and do not fail the contract.
  1. Read PIPELINE.lock.md and validate pipeline target artifacts
  • Resolve the pipeline spec under pipelines/*.pipeline.md and load target_artifacts from its YAML front matter.
  • Resolve the pipeline spec path and load target_artifacts from its YAML front matter.
  • If the pipeline is complete (all units are DONE/SKIP), verify each required target_artifacts file exists.
  1. Write output/CONTRACT_REPORT.md (always)
  • Include missing DONE outputs (unit-level drift) and missing pipeline targets (pipeline-level completeness drift).

Status semantics

  • PASS: pipeline complete (all units DONE/SKIP) AND all required target artifacts exist AND no DONE unit is missing required outputs.
  • OK: pipeline incomplete (still running) BUT DONE unit outputs are consistent; missing targets are expected.
  • FAIL: at least one DONE unit is missing required outputs OR pipeline is complete but required target artifacts are missing.

How to use this report (self-loop routing)

  • If DONE outputs are missing: fix the contract drift (regenerate the missing artifacts, or revert the unit status to TODO/BLOCKED).
  • If the pipeline is complete but target artifacts are missing: find which unit/skill owns each missing artifact and rerun that unit.

Script

Quick Start

  • python scripts/run.py --workspace workspaces/<ws>

All Options

  • --workspace <dir>
  • --unit-id <U###> (optional)
  • --inputs <semicolon-separated> (unused; runner compatibility)
  • --outputs <semicolon-separated> (unused; runner compatibility)
  • --checkpoint <C#> (optional)

Examples

  • End-of-run audit (recommended before sharing a workspace):
    • python scripts/run.py --workspace workspaces/<ws>

Comments

Loading comments...