ClawAudit verdict
no0-skill
Agent identity guardian skill that monitors local cognitive files for tampering and enforces access control; all described behaviors are local, protective in nature, and transparently documented.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (23)
Accesses .ssh directory
INSTALL.md · code · .ssh/
Recursive delete from root or home — destructive command
INSTALL.md · prose · downgraded · rm -rf ~
Uses eval() — can execute arbitrary code
no0-core/scripts/heartbeat_processor.py · prose · downgraded · eval(
<script> tag in markdown — potential code injection
no0-dlc-internal-control/internal_control/bulk_auth/service.py · prose · downgraded · <script>
Possible hardcoded credential
no0-dlc-internal-control/internal_control/rules/dynamic_authorization.py · prose · downgraded · token="direct-grant
Pipe to python — executes piped content as Python code
tests/integration_test.sh · prose · downgraded · | python3
Instructs covert action — may act without user awareness
SKILL.md · prose · downgraded · silently
References agent memory files
QUICKSTART.md · code · MEMORY.md
Accesses system credential store
SKILL.md · prose · downgraded · keychain
subprocess execution — runs system commands from Python
no0-core/scripts/event_emitter.py · prose · downgraded · subprocess.run(
Uses exec() — may execute shell commands
no0-core/scripts/heartbeat_processor.py · prose · downgraded · exec(
os.system/popen — direct OS command execution
no0-core/scripts/heartbeat_processor.py · prose · downgraded · os.system(
subprocess with shell=True — command injection vector
no0-core/scripts/heartbeat_processor.py · prose · downgraded · subprocess.run(",
"shell=true
References sudo — requests elevated privileges
no0-core/scripts/heartbeat_processor.py · prose · downgraded · sudo
HTTP request to bare IP address — common in malicious payloads
no0-dlc-internal-control/internal_control/http_auth/integration.py · prose · downgraded · http://127.0.0.1
References SSH/GPG private keys
no0-dlc-internal-control/tests/rules/test_engine.py · prose · downgraded · ssh_private
Python os.environ.get — reads environment variable
no0-core/scripts/event_emitter.py · prose · downgraded · os.environ.get(
Python shutil file operation — copies/moves/deletes files
no0-core/scripts/event_emitter.py · prose · downgraded · shutil.move(
Python os.getenv — reads environment variable
no0-core/scripts/monitor.py · prose · downgraded · os.getenv(
Python urllib.request — network access
no0-dlc-internal-control/internal_control/http_auth/integration.py · prose · downgraded · urllib.request
Python threading.Timer — deferred execution
no0-dlc-internal-control/internal_control/http_auth/server.py · prose · downgraded · threading.Timer(
Base64 encoding/decoding
no0-dlc-internal-control/internal_control/http_auth/token_vault.py · prose · downgraded · base64_encode
importlib.import_module — dynamic module loading
no0-dlc-internal-control/internal_control/interception/tool_interceptor.py · prose · downgraded · importlib.import_module(
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class B/D/E). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
network_in Is this flag fair?
Thanks — recorded.