ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Session Handoff

v0.1.0

WHAT: Create comprehensive handoff documents that enable fresh AI agents to seamlessly continue work with zero ambiguity. Solves long-running agent context exhaustion problem. WHEN: (1) User requests handoff/memory/context save, (2) Context window approaches capacity, (3) Major task milestone completed, (4) Work session ending, (5) Resuming work with existing handoff. KEYWORDS: "save state", "create handoff", "context is full", "I need to pause", "resume from", "continue where we left off", "load handoff", "save progress", "session transfer", "hand off"

0· 844·5 current·7 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (session handoff) match the included scripts and docs. The scripts create, validate, list, and check staleness of handoff markdown files in .claude/handoffs/, and they use git metadata — all expected for this purpose.
Instruction Scope
SKILL.md directs the agent to run the bundled Python scripts and to open/edit the generated files; scripts only inspect local repo state and files and check for secrets. Minor scope notes: quick-start commands in the resume checklist include commands like `env | grep [relevant-var]` and `ps aux | grep [process-name]` which can reveal environment variable values or process details if run verbatim — these are reasonable for debugging but operators should be careful about running them in environments where secrets or sensitive processes are present.
Install Mechanism
There is no formal install spec in the skill bundle (instruction-only at runtime), which minimizes automatic install risk. README includes manual install instructions and an `npx add https://github.com/...` example pointing to an external repo; that is an out-of-band install suggestion (not executed by the skill) — users should vet any external repo URL before running install commands.
Credentials
The skill requires no environment variables, credentials, or special config paths. Scripts operate on local filesystem and git; secret-detection is built into validation. No unrelated credentials are requested in code or SKILL.md.
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and only writes its own files under .claude/handoffs/ in the project. It uses subprocess git calls but does not attempt to persist credentials or alter global agent settings.
Assessment
This skill appears to do what it says: scaffold, validate, list, and evaluate 'handoff' markdown files using local git and filesystem checks. Before installing or running it: (1) Review the scripts yourself (they live in scripts/) if you have sensitive projects — they will create files under .claude/handoffs/ and run git commands in the project directory. (2) Be cautious running the example shell commands (env | grep, ps aux | grep) on machines with secrets; they can expose environment values or process information. (3) The README suggests installing from a GitHub URL — only run external install commands after reviewing/validating the remote repo. (4) The validator looks for likely secrets with regexes but can yield false positives/negatives, so manually verify any flagged content before committing or sharing handoffs. Overall the footprint is local and proportional to the stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk977hv78005rxp4z427wp54t6d80xzb9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments