coding-agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for delegating coding work, but it tells the agent to launch other coding agents with sandbox and approval bypass modes that can modify files or run commands without normal prompts.
Install only if you intentionally want OpenClaw to launch external coding agents for real project work. Prefer sandboxed modes, avoid --yolo and bypassPermissions unless you explicitly approve them, use temporary clones or worktrees for PR review, monitor and kill background sessions, and avoid sensitive repositories unless you trust the external coding-agent provider.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A delegated coding agent could edit files or run commands in the project without asking for each high-impact action.
The skill directs use of coding CLIs in modes that bypass confirmations and, for Codex --yolo, remove sandboxing entirely.
Claude Code: use --print --permission-mode bypassPermissions ... `--print` mode keeps full tool access and avoids interactive confirmation ... `--yolo` | No sandbox, no approvals
Use sandboxed and approval-required modes by default. Require explicit user confirmation before using --yolo, --full-auto, or bypassPermissions, and set tight workdir and timeout limits.
Users may over-trust the skill to keep delegated agents inside one folder when the invoked tools may still access or modify other reachable files.
The wording frames the working directory as a containment boundary, but a working directory alone is not an access-control boundary, especially when the same skill also recommends unsandboxed or approval-bypassing modes.
`workdir` ... Working directory (agent sees only this folder's context) ... Agent wakes up in a focused directory and doesn't wander off reading unrelated files.
Describe workdir as a convenience, not a security boundary. Prefer actual sandboxing, temporary clones/worktrees, and explicit file-scope instructions.
A background coding agent may keep running and changing files until the user checks or stops it.
The skill intentionally launches long-running background coding-agent sessions and documents monitoring and kill actions, but the examples do not require a timeout.
For longer tasks, use background mode: bash pty:true workdir:~/project background:true command:"codex exec --full-auto 'Build a snake game'" ... process action:kill
Monitor background sessions, set timeouts where possible, and kill sessions after the intended task is complete.
Safety depends on whatever versions of those external CLIs are installed locally.
The SKILL.md invokes external tools such as codex, claude, opencode, git, and gh, but there is no install spec or declared binary requirement for ClawScan to review.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Use trusted, up-to-date installations of the referenced CLIs and verify which commands will run before enabling the skill.
The skill can guide the agent toward public or team-visible actions under the user's GitHub identity.
If run, this uses the authenticated GitHub CLI account to post PR comments.
# Post results gh pr comment <PR#> --body "<review content>"
Review generated PR comments yourself and require confirmation before posting them with gh.
Private source code, prompts, or repository context may be exposed to the selected coding-agent provider depending on that CLI's behavior.
The skill delegates local coding tasks and file exploration to external coding-agent CLIs, which may process project context outside OpenClaw.
Delegate coding tasks to Codex, Claude Code, or Pi agents via background process ... iterative coding that needs file exploration.
Use this only with repositories and providers you trust, and avoid delegating work on sensitive code unless provider data-handling terms are acceptable.