Restart Recovery

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern

ASI02: Tool Misuse and Exploitation

What this means

A bad workflow ID or poisoned checkpoint could overwrite or create local .json/.lock files outside the skill’s checkpoint folder.

Why it was flagged

The workflow ID is used directly as a filesystem path component with no normalization or validation. Values containing '../' or an absolute path could make start/update/complete or resume lock creation read or write outside the intended memory/checkpoints directory.

Skill content

def cp_path(workflow_id: str) -> Path:
    return ROOT / f"{workflow_id}.json"

def lock_path(workflow_id: str) -> Path:
    return ROOT / f"{workflow_id}.lock"

Recommendation

Restrict workflow IDs to a safe slug format, reject path separators and absolute paths, resolve the final path, and verify it remains inside memory/checkpoints before reading or writing.

Concern

ASI06: Memory and Context Poisoning

What this means

If a checkpoint file is edited or planted, the agent may resume the wrong step, skip work, or act on misleading checkpoint content.

Why it was flagged

The resume path loads a persistent checkpoint from disk and returns it after status/expiry checks, but does not recompute and compare checkpointHash or validate the JSON schema before the agent may act on it.

Skill content

obj = load(p)
if obj.get("status") not in {"in_progress", "blocked"}:
    continue
...
print(json.dumps(obj, indent=2))

Recommendation

Validate the checkpoint schema and hash before returning it, treat checkpoint notes as data rather than instructions, and require explicit user approval before resuming high-impact actions.

Note

ASI10: Rogue Agents

What this means

Future agent sessions may automatically check and resume local workflows, and a local scheduled monitor may run repeatedly if the user sets it up.

Why it was flagged

The skill intentionally adds persistent startup behavior and recommends a recurring host-scheduled stale-check monitor. This is disclosed and aligned with restart recovery, but it persists beyond a single invocation.

Skill content

On startup, check `memory/checkpoints/*.json` for unfinished workflows... continue from the last completed idempotent step.

Use host scheduler (launchd/systemd/cron)... Run every 10 minutes.

Recommendation

Only add the AGENTS.md rule or scheduler entry if you want this persistent behavior, and document how to disable it.