Openclaw Retro
PassAudited by ClawScan on May 10, 2026.
Overview
Openclaw Retro is an instruction-only retrospective helper that reads Git history and TODO data for a user-invoked report; the sensitive behavior is disclosed and aligned with its purpose.
This skill appears safe to install if you want a Git-based retrospective. Before using it, make sure you are in the intended repository and are comfortable with the agent reading commit history, contributor metadata, changed file paths, and TODOS.md content; review the report before sharing it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can contact the configured Git remote and read repository history, changed file paths, test-file counts, and the TODO backlog.
The skill directs the agent to run local Git and shell commands, including a remote fetch and repository data collection. These commands are central to the retrospective purpose, but they do interact with the user's local Git environment.
git fetch origin <default> --quiet ... git log origin/<default> --since="<window>" ... find . -name '*.test.*' ... cat TODOS.md 2>/dev/null || true
Invoke it only inside the intended repository and review the generated report before sharing it outside the team.
The generated retrospective may reveal the user's Git identity and teammate names or email addresses from commit metadata.
The workflow reads the current Git user's name/email and contributor author names/emails to label 'you' and teammates in the retrospective. This is expected for contributor analysis but involves personal identity data.
git config user.name git config user.email ... git log origin/<default> --since="<window>" --format="%H|%aN|%ae|%ai|%s"
Treat the output as potentially containing personal or internal team information, especially before posting it in public channels.
Private project plans, backlog items, or commit-message content may influence and appear in the retrospective.
The skill brings repository notes, commit messages, and TODO backlog content into the agent's context for summarization. This is purpose-aligned, but project notes and commit text can contain sensitive details or misleading instructions.
cat TODOS.md 2>/dev/null || true ... 检查 diff 中的 `TODO`、`FIXME`、`HACK` 注释,与 TODOS.md 中已知项目交叉引用。
Avoid running it on repositories with confidential TODOs or review the output carefully; repository text should be treated as data, not as instructions to override the user's goal.