Restart Recovery

WarnAudited by ClawScan on May 10, 2026.

Overview

This restart-recovery skill is local and mostly aligned with its purpose, but its checkpoint helper can be tricked into writing outside its checkpoint folder and can resume from tampered checkpoint files.

Review or patch the helper before installing: constrain workflow IDs to safe filenames, enforce that all reads and writes stay inside memory/checkpoints, and verify checkpointHash/schema before resuming. If you enable the AGENTS.md startup rule or a scheduler entry, make sure you are comfortable with future sessions checking and potentially resuming unfinished work.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

A bad workflow ID or poisoned checkpoint could overwrite or create local .json/.lock files outside the skill’s checkpoint folder.

Why it was flagged

The workflow ID is used directly as a filesystem path component with no normalization or validation. Values containing '../' or an absolute path could make start/update/complete or resume lock creation read or write outside the intended memory/checkpoints directory.

Skill content

def cp_path(workflow_id: str) -> Path:
    return ROOT / f"{workflow_id}.json"

def lock_path(workflow_id: str) -> Path:
    return ROOT / f"{workflow_id}.lock"

Recommendation

Restrict workflow IDs to a safe slug format, reject path separators and absolute paths, resolve the final path, and verify it remains inside memory/checkpoints before reading or writing.

Medium

#ASI06: Memory and Context Poisoning

What this means

If a checkpoint file is edited or planted, the agent may resume the wrong step, skip work, or act on misleading checkpoint content.

Why it was flagged

The resume path loads a persistent checkpoint from disk and returns it after status/expiry checks, but does not recompute and compare checkpointHash or validate the JSON schema before the agent may act on it.

Skill content

obj = load(p)
if obj.get("status") not in {"in_progress", "blocked"}:
    continue
...
print(json.dumps(obj, indent=2))

Recommendation

Validate the checkpoint schema and hash before returning it, treat checkpoint notes as data rather than instructions, and require explicit user approval before resuming high-impact actions.

Low

#ASI10: Rogue Agents

What this means

Future agent sessions may automatically check and resume local workflows, and a local scheduled monitor may run repeatedly if the user sets it up.

Why it was flagged

The skill intentionally adds persistent startup behavior and recommends a recurring host-scheduled stale-check monitor. This is disclosed and aligned with restart recovery, but it persists beyond a single invocation.

Skill content

On startup, check `memory/checkpoints/*.json` for unfinished workflows... continue from the last completed idempotent step.

Use host scheduler (launchd/systemd/cron)... Run every 10 minutes.

Recommendation

Only add the AGENTS.md rule or scheduler entry if you want this persistent behavior, and document how to disable it.