by 安全扫描
OpenClaw
安全
high confidenceThe skill and its included audit script are coherent with the stated purpose (repo/agent harness auditing); no unrelated credentials, network calls, or install-time downloads are present, though there are a few small bookkeeping inconsistencies to note before running it.
评估建议
This skill appears to do what it says: run a deterministic repository harness audit. Before running it, confirm you have Node installed (SKILL.md uses `node` but the metadata doesn't list it), and set AUDIT_ROOT to the intended repository path (do NOT point it at `/` or other sensitive directories). Review scripts/harness-audit.js yourself if you need stronger assurance — it reads files under AUDIT_ROOT and probes HOME for plugin manifests, so outputs may include any readable files in those loca...详细分析 ▾
✓ 用途与能力
The skill provides patterns for continuous agent loops and ships a deterministic harness audit script that scores repos. The required env var AUDIT_ROOT aligns with the script's need for a target root path. One minor mismatch: SKILL.md tells users to run `node scripts/harness-audit.js` but the skill's metadata does not list `node` under required binaries.
ℹ 指令范围
Runtime instructions direct the agent to run the included Node script which enumerates and reads files under the provided root and also probes common plugin locations under HOME. This is expected for an audit tool, but the script can read arbitrary files under AUDIT_ROOT (and looks at HOME for plugin manifests) so the operator should avoid pointing AUDIT_ROOT at sensitive system locations.
✓ 安装机制
No install spec or remote downloads are used; this is an instruction-only skill with a bundled JS script. No external code is fetched at runtime, lowering install-time risk.
ℹ 凭证需求
Declared required env var is only AUDIT_ROOT, which is proportional. The script also reads process.env.HOME (typical) to look for plugin installs; HOME wasn't declared but is an OS-provided variable. The script reads repository files (package.json, hooks, agents, etc.), which is expected but means secrets present in the audited path could be read and included in output.
✓ 持久化与权限
The skill does not request permanent/always-on presence, does not modify other skills or system config, and has no install-time persistence. It can be invoked autonomously by the agent (normal default), but has no extra privileges.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSLinux · macOS · Windows
版本
latestv1.0.32026/4/5
Fixed metadata: added AUDIT_ROOT to requires.env (required by harness-audit.js script)
● Pending
安装命令 点击复制
官方npx clawhub@latest install continuous-agent-loop
镜像加速npx clawhub@latest install continuous-agent-loop --registry https://cn.clawhub-mirror.com
技能文档
Patterns for autonomous agent loops with quality gates and recovery.
Loop Selection
Choose your loop type based on requirements:
Need strict CI/PR control?
→ continuous-prNeed RFC decomposition?
→ rfc-dag
Need exploratory parallel generation?
→ infinite
Default → sequential
Production Stack (Recommended)
- RFC decomposition — break large requests into a DAG of sub-tasks before looping
- Quality gates — define explicit pass/fail criteria before starting each loop iteration
- Eval loop — run automated checks after each iteration to verify progress
- Session persistence — checkpoint state between iterations so you can resume on failure
Key Patterns
Sequential Loop:
- Single task → execute → verify → repeat
- Best for: stable, incremental work
- Recovery: freeze, audit, reduce scope
RFC-DAG Loop:
- Decompose request → parallel branches → merge results
- Best for: complex multi-part features
- Recovery: replay failing unit
CI/PR Loop:
- Generate → test → push PR → merge on pass
- Best for: code-heavy deliverables
- Recovery: fail fast, surface root cause
Infinite/Exploratory:
- Generate variants in parallel, filter winners
- Best for: creative or search-heavy work
- Recovery: cap iterations, tighten criteria
Failure Modes & Recovery
| Problem | Root Cause | Fix |
|---|---|---|
| Loop churn | Vague acceptance criteria | Freeze & redefine criteria |
| Repeated retries | Same root cause ignored | Run harness audit (see scripts/harness-audit.js), fix root |
| Merge queue stalls | Test flakes or deps | Isolate failing unit |
| Cost drift | Unbounded escalation | Cap token budget per loop |
- Freeze loop
- Run
node scripts/harness-audit.js— scores 7 categories (tool coverage, quality gates, evals, security, cost efficiency, memory, context) - Reduce scope to failing unit
- Replay with explicit criteria
References
scripts/harness-audit.js— deterministic audit script, scores repo 0-70 across 7 categoriesreferences/harness-audit.md— full command usage and output contract
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制