Is christiancattaneo/wreckit safe?
https://github.com/openclaw/skills/tree/main/skills/christiancattaneo/wreckit
wreckit is a well-structured AI code verification framework with a coherent, documented purpose — it orchestrates 14 verification gates (slop scan, type check, mutation testing, SAST, dynamic analysis, etc.) via a parallel swarm of LLM workers. The install was clean with no suspicious behavior: no canary access, no exfiltration, and no unexpected network connections attributable to the skill. The primary residual risk is that the 14 bundled shell scripts were not fully content-audited, meaning execution safety at invocation time cannot be fully certified; additionally, hardcoded installation paths in orchestrator templates suggest an immature marketplace adaptation and the bundled dashboard server creates a persistent network listener.
Category Scores
Findings (7)
MEDIUM Shell Script Content Not Fully Auditable -20 ▶
The skill bundles 14 shell scripts that agents are explicitly instructed to execute during verification runs. The audit scan read these files with cat but their full content was not included in the evidence corpus. Without complete script content review, the commands executed at invocation time cannot be fully certified safe. This is the primary unresolved risk in this audit.
LOW Dashboard Server Creates Persistent Network Listener -10 ▶
The skill ships assets/dashboard/server.mjs, a Node.js HTTP server that binds to port 3939 and reads .wreckit/dashboard.json files from target projects. When invoked, it creates a long-running service beyond the skill's immediate task scope. An always-on local web server reading from project directories is a meaningful attack surface if left unattended.
LOW Overly Broad Trigger Keyword List -12 ▶
The skill's description registers common developer terms as invocation triggers: 'wreckit', 'mutation testing', 'verification', 'proof bundle', 'code audit', and 'bulletproof'. These terms are frequently used in normal coding conversations and could cause unintended skill activation on user requests that don't require the full 14-gate verification pipeline.
LOW Hardcoded Installation Path in Orchestrator Templates -8 ▶
The orchestrator prompt template and worker task strings reference ~/Projects/wreckit-ralph/ as the expected skill path. This is inconsistent with how OpenClaw actually installs skills (/home/oc-exec/skill-under-test/ during this audit) and suggests the skill was authored for personal use without adaptation for marketplace distribution. Agents following the template verbatim will fail to locate scripts, and a malicious user could potentially exploit path confusion.
LOW Outbound Network Access to Package Registries During Dependency Audit -8 ▶
scripts/check-deps.sh is designed to verify that all project dependencies exist in external registries (npm, PyPI, crates.io, etc.). Executing this script transmits the target project's dependency list to third-party services. While this is a stated feature and not concealed, users with proprietary or sensitive dependency inventories should be aware of this behavior.
INFO Project Source Code Sent to Anthropic API via Multiple LLM Workers -10 ▶
The swarm architecture sends target project source code to up to 11 parallel Anthropic API workers for analysis. Each worker receives file contents as context. This is fully consistent with the user's decision to use an AI verification tool, but represents substantial code egress from the local environment for users auditing sensitive projects.
INFO Clean Install With No Suspicious Behavior During Monitoring 0 ▶
The skill installed via the expected OpenClaw sparse-checkout mechanism with no anomalous activity. No skill-originated process executions, unexpected filesystem writes, or exfiltration attempts were detected. All post-install network activity (44.214.208.192:443) is attributable to the openclaw-gatewa platform process, not skill code.