Architecture Decision Records
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: architecture-decision-records Version: 1.0.0 The skill bundle is classified as suspicious due to the presence of commands that perform system-level installations and interact with the local filesystem. Specifically, SKILL.md contains `brew install adr-tools` and `adr` CLI commands (`adr init`, `adr new`, `adr generate toc`) which allow the AI agent to modify the system and manage local files. While these actions are directly related to the stated purpose of managing Architecture Decision Records, they represent risky capabilities without clear malicious intent, as they grant the agent the ability to modify the system and interact with the file system. Additionally, README.md includes an `npx add` command that fetches code from a remote GitHub repository, introducing a supply chain risk during skill installation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user installs using this command, they may receive whatever content is currently on that GitHub branch rather than a fixed reviewed version.
The README suggests a user-run install command from a GitHub main-branch path rather than a pinned release or commit, so the fetched content could change over time.
npx add https://github.com/wpank/ai/tree/main/skills/backend/architecture-decision-records
Prefer installing from the registry or a pinned commit/release, and verify the repository contents before running the npx command.