NightPatch
WarnAudited by ClawScan on May 10, 2026.
Overview
NightPatch is mostly transparent about local maintenance, but it needs review because its cron setup can run real unattended patches and its patch executor builds shell commands from variables.
Install only if you are comfortable with a local automation tool that can read command history, scan workspace files, and modify shell configuration. Run dry-run first, inspect setup-cron.sh and run-nightly.sh before enabling cron, back up ~/.bashrc and important workspace files, and restrict scanned directories.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, NightPatch may keep running overnight and make local shell or workspace changes while the user is not present.
The cron setup path creates a persistent nightly task and writes a runner that executes the real patch command, not only dry-run detection.
CRON_JOB="0 3 * * * cd $SKILL_DIR && ./run-nightly.sh >> $SKILL_DIR/logs/cron.log 2>&1" ... if ./start.sh run >> "$LOG_FILE" 2>&1; then
Do not enable cron until you inspect run-nightly.sh. Keep it in dry-run mode by default and require an explicit user approval step before real patches.
A malformed or attacker-influenced alias suggestion could potentially run commands under the user's account.
The static scan shows a shell command built by interpolating suggested_alias. In a patching workflow, an unsanitized alias value could cause unintended shell execution.
const checkAlias = execSync(`alias ${suggested_alias} 2>/dev/null || true`, {Validate alias names with a strict allowlist such as /^[A-Za-z_][A-Za-z0-9_]*$/ and avoid shell interpolation where possible.
Changes to ~/.bashrc persist across shell sessions and can affect future terminal behavior.
The skill discloses that it reads command history and writes to the user's shell startup configuration.
`~/.bash_history` - **只读** ... `~/.bashrc` - **读写**,仅添加新别名到.bashrc文件
Back up ~/.bashrc, review every alias before applying, and prefer a separate alias file if possible.
Private local context may be stored in NightPatch reports and logs, even though no external transmission is shown.
The skill scans local workspace/log content and writes reports/audit logs that may preserve command names, filenames, or workflow details.
工作区文件 - **只读扫描** ... 日志文件 - **只读分析** ... 自动生成修补报告 ... 记录安全审计日志
Limit scanned directories, avoid sensitive workspaces, and periodically review or delete generated reports and audit logs.
Users have less registry-level assurance about where the runnable package came from and what runtime setup is required.
The registry metadata does not provide source/install provenance even though the artifact includes runnable scripts and Node code.
Source: unknown; Homepage: none ... Install specifications: No install spec — this is an instruction-only skill ... Code file presence: 9 code file(s)
Publish a clear source URL, add an install spec and capability declarations, and install only from a trusted package.