Workspace Anchor
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill has a reasonable local workspace purpose, but its validation code uses unsafe shell commands and an undeclared external script that could run unintended local commands.
Review before installing. Only use this skill in trusted local workspaces, avoid validating untrusted path strings, inspect any discovered .project-lock files, and prefer a fixed version that removes shell interpolation and declares or vendors the external project-enforcer helper.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed path, or a poisoned project lock used during validation, could cause unintended commands to run on the user's machine.
A CLI-provided path is inserted into a shell command string. Quoting is not the same as safe escaping, so a crafted path containing quotes or shell metacharacters could alter the command when validation runs.
const targetPath = process.argv[3]; ... execSync(`bash "${enforcerScript}" "${targetPath}" current`, { encoding: 'utf8' })Avoid shell command strings for validation. Use execFile/spawn with argument arrays, canonicalize paths with Node APIs, reject unsafe characters, and treat .project-lock contents strictly as data.
Validation behavior can depend on unreviewed local code, so installing the skill may run logic that is not visible in the provided artifact set.
The skill may execute a shell script outside the supplied package manifest. The reviewed artifacts do not include that script or declare it as an install requirement.
const enforcerScript = path.join(__dirname, '../../../bin/project-enforcer.sh'); ... execSync(`bash "${enforcerScript}" "${targetPath}" current`Vendor and review the helper script, declare it as a required dependency, verify its path and integrity, or remove the external-script execution path.
The agent may run local shell searches to locate workspace anchors, which could be broader than the user expects.
The skill directs the agent to use shell execution for local discovery. This is purpose-aligned, but it expands the agent's operational authority on the local filesystem.
Use `exec` to find `.project-lock` files if paths are ambiguous.
Ask the user for the intended workspace root first, limit searches to trusted directories, and avoid broad exec use unless necessary.
A stale or untrusted .project-lock file could mislead the agent into using the wrong project path or expose local project names and paths in agent output.
The skill discovers persistent .project-lock files across the user home and uses their NAME/ROOT values as workspace context. Untrusted lock files could influence which project the agent believes is active.
locations.push(userHome); ... execSync(`find "${expanded}" -name ".project-lock" -type f 2>/dev/null`Limit discovery roots, inspect discovered anchors before switching, and only trust .project-lock files from known projects.