linux-riscv-contribute
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent, human-gated kernel-contribution workflow, but it can modify a local Linux tree, use worker agents, and create public GitHub issues if the user approves.
Before installing, confirm that the configured GitHub repository and assignee are yours or intended, run the workflow in a clean Linux worktree, keep the human gates in place, and verify what data your ACP agents may receive or retain.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An approved run may change the local Linux working tree and consume compute by building or testing kernel code.
The skill directs worker agents to modify code and run build/test loops. This is central to the kernel-contribution purpose and bounded by plan approval and iteration limits, but it is still high-impact local development authority.
Run iterative loop until pass or policy limit: 1. Implement approved plan. 2. Build and run configured tests. 3. Parse failures and patch.
Run it in a clean branch, disposable worktree, or container; review workflow.yaml limits; and inspect diffs before approving patches.
The workflow may create or modify visible GitHub issues using the user's configured GitHub identity.
Creating or updating GitHub issues requires delegated account or repository authority. The action is disclosed and gated by human triage, but users should verify the target repository and credential scope.
For each approved gap: - Create/update issue in configured repo. - Add labels from severity/type.
Confirm the configured repository before Step 2, use the least-privileged GitHub token or account available, and review the approved gap list before syncing issues.
Repository context, gap evidence, plans, or patches may be shared with configured worker agents/providers.
The workflow sends planning and implementation tasks to ACP worker agents. This is explicitly part of the design, but the artifacts do not describe the data boundary, provider retention, or isolation properties of those agents.
Spawn ACP session explicitly: - `runtime: "acp"` - `agentId: "claude-code"` ... Spawn ACP session explicitly: - `runtime: "acp"` - `agentId: "codex"`
Use only trusted ACP agents and provider configurations, and avoid running this on private code or sensitive patches unless those data-sharing terms are acceptable.
Project context and prior agent outputs may remain on disk and be reused in future workflow steps.
The skill intentionally persists workflow state, logs, gap registries, issue mappings, plans, and patch artifacts. This supports auditability, but stale or incorrect state could influence later runs.
Record each iteration in `state/run_history/*.json`.
Review and clean the kernel/openclaw state directory when switching projects or after failed runs, and do not treat stored agent output as authoritative without review.