ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Retro

v1.0.1

Weekly/periodic engineering retrospective skill that generates delivery reviews based on git history and code quality metrics. Supports 24h, 7d, 14d, 30d cyc...

0· 40·0 current·0 all-time
by@x-rayluan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md relies heavily on git and common Unix tools (git, find, grep, sort, uniq, wc, cat) and on fetching origin/<default>, but the registry metadata lists no required binaries or credentials. The capability (generating retros from git history) is coherent, but the skill should declare git and related CLI tools as required and be explicit about how it determines the default branch. It also implicitly requires network access and existing git credentials if origin is protected.
Instruction Scope
Instructions explicitly read the repository (commits, diffs, files, TODOS.md) and run git fetch and many git log variants — this is within the stated purpose. However the skill will process potentially sensitive repository contents (commit messages, file diffs, emails, TODOs). The instructions also use an ambiguous placeholder '<default>' for the branch and instruct parallel execution without specifying safeguards or limits.
Install Mechanism
There is no install spec (instruction-only), which minimizes install risk. However the runtime depends on CLI tools being present; the lack of declared required binaries is an inconsistency and may cause runtime failures or hidden assumptions about the execution environment.
Credentials
The skill requests no environment variables or explicit credentials, which is reasonable. But it will implicitly use the host's git credential helpers/SSH keys when running 'git fetch origin', and it reads git config user.name/email — this is normal for a git-based retro but should be explicitly documented so users know their local credentials/identity and remote access will be used.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. It does not modify other skills or agent-wide settings per the provided content.
What to consider before installing
This skill is largely coherent with its stated purpose (it analyzes git history), but before installing or running it you should: (1) confirm git and the standard Unix tools (git, find, grep, sort, uniq, wc) are available in the agent environment — the SKILL.md assumes them but metadata does not declare them; (2) understand that 'git fetch origin' will use your existing git credential helpers/SSH keys and may contact remote hosts — only run it in repos and against remotes you trust; (3) be aware the skill reads commit messages, diffs, file contents and TODOS.md — it can surface sensitive data from the repository; (4) verify or replace the ambiguous '<default>' branch placeholder with your repository's actual default branch to avoid unexpected behavior; (5) if you want to limit risk, run the skill on a sanitized clone (no secrets) or remove/disable the 'git fetch' step so it only analyzes local history. If these points are acceptable or corrected, the skill appears functional for its purpose; otherwise treat it cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk976z0vvpm4dsvfn3n344dwfn583ywy4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments