Skillv1.0.3

ClawScan security

Huo15 Autoresearch Loop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 4:15 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (run an autonomous modify→verify loop), but it runs arbitrary commands (via CLAUDE_TASK and verify_command), performs destructive git operations (reset --hard, clean), and contains implementation inconsistencies — the combination is disproportionate and warrants caution.
Guidance: This skill will run arbitrary shell code (it evals the CLAUDE_TASK content) and will run whatever verification command you supply; it also commits or forcibly reverts/cleans your git working tree. Only run it in a disposable or backed-up repository, or inside a container/VM. Before installing/running: (1) inspect and control the CLAUDE_TASK value the agent will receive; (2) ensure you have backups or an isolated test repo; (3) be aware that python3, git, and timeout must exist on the host; (4) consider disabling commit/revert behavior (or set revert_on_fail/commit_each_success appropriately); (5) note the scripts contain bugs/inconsistencies (e.g., state functions vs. expected 'state' command) — expect unpredictable behavior and test cautiously.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (autonomous modify→verify loop) matches the included scripts: it executes modification tasks, runs verification commands, and commits/reverts git. However the SKILL.md claims '非侵入设计' and '只通过 exec 调用脚本', yet the scripts perform potentially destructive git operations (git reset --hard, git clean) and eval arbitrary task content — these behaviors are intrusive by design and should be clearly justified to users.
Instruction Scope: concernRuntime instructions and scripts execute arbitrary commands in two ways: eval "$CLAUDE_TASK" (executes whatever is in the CLAUDE_TASK env var) and running user-supplied verify_command with timeout. These let the skill run arbitrary shell code against the repository and system. Scripts read/write ~/.openclaw/tmp state files and call git, python3, and timeout — they also write logs and modify the repo. The SKILL.md does not fully enumerate these execution risks or the need to trust the task content.
Install Mechanism: okNo install spec (instruction-only with included scripts). This minimizes installer risk because nothing is downloaded during install. The code will be executed when invoked, so runtime behavior (not install) is the main risk.
Credentials: concernThe skill declares no required env vars but relies on CLAUDE_TASK (checked at runtime) as the mechanism to receive modification instructions. That env var is not declared in metadata and allows arbitrary code execution. The scripts implicitly require git, python3, and timeout binaries but do not declare them. No credentials are requested, which is consistent, but the presence of eval( CLAUDE_TASK ) is a high-risk implicit 'credential'/input point that is not surfaced in metadata.
Persistence & Privilege: noteThe skill persists state and logs under ~/.openclaw/tmp — this is scoped to the user home and is expected. It does not request 'always: true' or modify other skills. However, it does modify the repository (commits and hard resets) which can permanently change or delete user code if run in a real project.