system-repair-expert
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive details from logs, configuration, paths, hostnames, or error reports could be saved and reused in later sessions.
The skill asks for potentially sensitive troubleshooting material such as logs and config excerpts, then instructs the agent to store the repair process/results for future use without specifying consent, redaction, retention, or retrieval boundaries.
如果任何关键信息缺失(完整报错、日志最后20行、配置文件相关部分...)... 存储:将本次修复过程和结果保存供未来参考
Only provide redacted logs/configs, and require the skill to ask before saving anything to memory with a clear summary of what will be stored and how to delete it.
The agent could create persistent instructions or tools that affect future behavior before the user has reviewed them.
Creating or writing a new skill can persistently change the user's agent environment, but this step does not explicitly require user approval, a preview/diff, scoped triggers, or rollback before creation.
如果决定创建 → 调用内置的「创建/编写 Skill」能力... 创建完成后,建议用户测试并考虑提交到 ClawdHub
Require explicit confirmation before creating any skill, show the full proposed content first, restrict triggers, and provide a deletion/rollback path.
If used carefully, this is normal troubleshooting behavior; if executed blindly, repair commands could still change or damage the system.
The skill may draft repair scripts or commands, which can be high-impact for system repair, but the artifact frames this as a last resort with explicit consent, safety checks, and rollback guidance.
仅在以上所有途径都无法有效解决时,才考虑编写一次性修复脚本/命令... 必须先征得用户明确同意... 加入最基本的安全检查... 提供手动回滚建议
Review every command before running it, test on backups or non-production systems when possible, and confirm rollback steps.
It may be harder to verify whether the reviewed files match the published source or intended release.
The registry metadata gives no source or homepage and lists version 1.0.0, while bundled package/manifest files claim version 1.0.1 and repository information. This is a provenance/coherence gap, not evidence of malicious behavior.
Source: unknown; Homepage: none; Version: 1.0.0
Verify the publisher and repository before relying on the skill, especially because it deals with system troubleshooting workflows.