Story Setup
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: story-setup Version: 1.1.0 The 'story-setup' skill bundle is a comprehensive infrastructure deployment tool for web novel writing projects. It automates the setup of project-specific git hooks, sub-agent definitions, and markdown rules to maintain story consistency and narrative quality. While the bundle utilizes high-privilege capabilities such as executing shell scripts (e.g., `session-start.sh`, `detect-story-gaps.sh`) and browser automation via the `story-researcher` agent, these actions are clearly aligned with the stated purpose of managing a writing environment. Security-conscious design is present, such as the `consistency-checker` and `story-explorer` agents being explicitly restricted to read-only tools. No evidence of data exfiltration, malicious persistence, or intentional prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may change how the agent behaves in that project through persistent CLAUDE.md instructions.
The setup can replace same-named sections in the project-level CLAUDE.md, which affects future agent instructions. This is disclosed and purpose-aligned, but users should review the resulting instructions.
模板中的标准 section(Skill 路由表、文件结构、协作规则、Context Recovery、语言)**覆盖**用户同名 section
Review the generated or merged CLAUDE.md before relying on the project configuration.
If the research agent is used, it can automate a local browser and write research files into the project.
The deployed research agent can run Bash commands and control a CDP browser for web research. This fits the research purpose, but it is a powerful path that should be used with trusted prompts and intended browser sessions.
tools: [Read, Glob, Grep, Bash, Write] ... agent-browser --cdp {cdp_port} evalOnly expose a CDP browser session you intend the agent to use, and review research requests before allowing browser/Bash automation.
The setup may not deploy exactly as documented, or the agent may need to handle missing templates.
SKILL.md references deployment templates that are not present in the supplied file manifest. This looks like an incomplete package/review context rather than malicious behavior, but deployment may fail or require missing content.
读取 `skills/story-setup/references/templates/CLAUDE.md.tmpl` ... 读取 `skills/story-setup/references/templates/上下文.md.tmpl`
Verify the package includes all referenced templates before installing or running the setup.
Text in the writing context file can influence future sessions and may be exposed to the agent automatically.
The session-start hook automatically places the first lines of the project context file into the agent session. This is useful for writing continuity, but project notes become persistent/retrieved context.
SNAPSHOT=$(head -10 "$BOOK_DIR/追踪/上下文.md")
Keep sensitive data and untrusted instructions out of 追踪/上下文.md, or review that file before starting sessions.
After setup, Claude lifecycle events can automatically run the installed project hook scripts.
The skill registers project hooks that continue to run on future session events after installation. The behavior is disclosed and project-scoped, but it is persistent automation.
"SessionStart" ... "command": "bash \"$CLAUDE_PROJECT_DIR\"/.claude/hooks/session-start.sh"
Inspect .claude/settings.local.json and .claude/hooks after installation, and remove the hook entries if you do not want automatic execution.