Skillv1.1.0

ClawScan security

FlowForge — Autonomous AI Coding Pipeline (Spec → Plan → Code → QA) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 23, 2026, 7:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (autonomous coding via Claude Code) matches its behavior, but there are several inconsistencies and risky choices—notably undeclared dependencies, credential handling and account-rotation that copy local credential files, and the use of a 'dangerously' flag that bypasses CLI safeguards.
Guidance: Key things to consider before installing/using FlowForge: - Expect required binaries: the skill relies on the 'claude' CLI (and likely 'gh', 'jq', and 'openclaw') even though metadata lists none. Install and audit those tools first. - Credential handling: the skill asks you to store multiple Claude credential JSON files under ~/.claude/accounts and to copy them into ~/.claude/.credentials.json to rotate accounts. That copies sensitive authentication material in cleartext on disk and programmatically swaps them—only proceed if you understand and accept that risk. - Data exposure: run_forge.sh builds prompts containing repo listings/specs and invokes Claude Code. That sends your repository contents (and task descriptions) to external Claude Code sessions. Do NOT run this against private or sensitive repos unless you trust the endpoints and accept the policy/privacy implications. - Dangerous flag: the scripts call 'claude --dangerously-skip-permissions', which explicitly bypasses CLI permission safeguards—this is a red flag. Ask why it's needed and whether safer CLI options exist. - Metadata mismatch: the skill metadata should declare required binaries and sensitive file paths. The absence of those declarations is an incoherence; treat the skill as requiring manual review before use. - Operational/legal: rotating multiple accounts to evade rate limits may violate service terms; review Claude/Anthropic usage policies. What you can do before running: - Audit the 'claude' CLI binary you will use and understand what data it sends. - Store credentials in a secure place (encrypted) and avoid leaving multiple active credential files if possible. - Run the scripts in a throwaway/local clone of non-sensitive repos first to observe behavior. - Consider removing or modifying the '--dangerously-skip-permissions' flag and the automatic credential-copy logic, and require explicit manual account switching instead. If you want, I can produce a short patch that (a) updates SKILL.md metadata to list required binaries and file paths, (b) replaces automatic credential copying with an explicit, safer prompt for switching, and (c) removes or documents the dangerous flag usage so you can review alternatives.

Review Dimensions

Purpose & Capability: concernThe README/SKILL.md claim no required env vars/binaries, but the scripts and instructions require several external CLIs (claude, gh, jq, openclaw) and access to local credential files. Asking users to store multiple Claude account credential JSONs and rotating them is directly related to the stated multi-account rate-limit goal, but the skill metadata incorrectly declares 'none' for required binaries/env—an incoherence that hides needed privileges and dependencies.
Instruction Scope: concernrun_forge.sh builds large prompts that include repo listings and spec contents and sends them to Claude Code via 'claude --dangerously-skip-permissions --print'. The pipeline reads repository files, writes a workspace under ~/.forge/, reads/writes ~/.flowforge/accounts.txt and ~/.claude/accounts/*.json, and copies chosen credential files into ~/.claude/.credentials.json. All of that is within the claimed function (having the LLM read the codebase and implement changes), but it also means potentially broad exfiltration of repository contents and local credential material to external LLM sessions. The SKILL.md instructs copying credentials and saving them in predictable locations with no encryption or access controls.
Install Mechanism: noteThere is no install spec (instruction-only), so no remote downloads — that's lower risk. However, the package assumes installed CLIs (claude, gh, jq, openclaw) without declaring them. That mismatch (no required binaries declared vs. obvious runtime dependencies) is an integrity problem: users may install this expecting no extras, but the scripts will fail or behave insecurely when run.
Credentials: concernThe skill declares no required credentials or env vars, yet it requires users to create and store multiple Claude credential JSON files in ~/.claude/accounts and a rotation list in ~/.flowforge/accounts.txt. It also uses an openclaw CLI event call. Requesting and programmatically copying local credential files (to switch active account) is a high-sensitivity operation and should have been declared and justified explicitly. No guidance is provided for protecting those credential files.
Persistence & Privilege: noteThe skill does not set always:true and does not modify other skills' config, which is good. It does create persistent workspaces under ~/.forge/ and expects persistent account files under ~/.claude/accounts/. The act of copying credential JSON into the active credential path is persistent and sensitive but contained to the user's home directory — notable but not an explicit platform privilege escalation. The use of '--dangerously-skip-permissions' in claude calls increases the blast radius by bypassing CLI permission checks.