Auto Repair Agent
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: auto-repair-agent Version: 1.0.0 The skill provides a 'self-healing' engine that includes a high-risk 'watch' command in `self_healing_engine.js`, which uses `execSync` to execute arbitrary shell commands provided via arguments. While this capability is aligned with the stated purpose of monitoring processes for errors, it provides a direct primitive for shell execution. Additionally, the `learn` command allows for local filesystem persistence by writing user-defined error patterns and fix suggestions to `.self-heal-patterns.json`. The documentation in `SKILL.md` and `README.md` references a specific 'EvoMap GEP' protocol and 'ClawHub' ecosystem, suggesting it is designed for a specific automated environment.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user or agent runs an unsafe command through watch mode, it could modify files, run programs, or perform other local actions.
The skill can execute a shell command supplied to its watch flow. This is documented and purpose-aligned, but it gives the invoked command the user's local permissions.
const out = execSync(command, { encoding: 'utf8', timeout: 60000 });Only use watch mode with commands you explicitly trust and intend to run; do not pass untrusted text directly into the command argument.
Bad learned patterns could lead to poor future repair advice, and sensitive error text may be stored locally if users teach it as a pattern.
Learned repair patterns are persisted locally and loaded in future runs, so incorrect or sensitive learned entries could influence later diagnoses.
const PATTERNS_FILE = '.self-heal-patterns.json'; ... fs.writeFileSync(PATTERNS_FILE, JSON.stringify(custom, null, 2));
Review or delete .self-heal-patterns.json periodically, and avoid learning patterns that contain secrets, tokens, or private error logs.
Users have less provenance information and may not get an install-time warning that Node.js is needed.
The registry metadata gives limited provenance and does not declare the Node.js runtime that the SKILL.md examples require.
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill.
Verify the publisher and review the included JavaScript before use, especially because the skill can run local commands.