ClawAudit verdict
rune-kit
Skill is an index/mesh for a collection of 64 development skills organized in a layered architecture; it contains only installation instructions and an architecture overview with no malicious patterns.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (27)
Pipe to bash — executes piped content as shell commands
skills/rune-completion-gate.md · code · | Bash
Prompt injection — tries to override agent instructions
skills/rune-ext-ai-ml.md · code · ignore previous instructions
Uses eval() — can execute arbitrary code
skills/rune-integrity-check.md · code · eval(
<script> tag in markdown — potential code injection
skills/rune-skill-forge.md · code · <script>
Instructs covert action — may act without user awareness
skills/rune-audit.md · code · silently
Uses spawn() — can execute external programs
skills/rune-ext-ai-ml.md · code · spawn(
Pipe to python — executes piped content as Python code
skills/rune-doc-processor.md · prose · downgraded · | Python
References child_process — can spawn system processes
skills/rune-ext-ai-ml.md · code · child_process
Uses exec() — may execute shell commands
skills/rune-ext-ai-ml.md · code · exec(
Dynamic import() — loads module at runtime
skills/rune-ext-content.md · code · import('
Accesses system credential store
skills/rune-ext-mobile.md · code · keychain
Accesses sensitive system files
skills/rune-ext-security.md · prose · downgraded · /etc/passwd
Pipe-to-shell pattern (curl | sh) — supply chain attack vector
skills/rune-ext-security.md · prose · downgraded · curl | sh
Pipe to sh — executes piped content as shell commands
skills/rune-ext-security.md · prose · downgraded · | sh
Recursive delete from root or home — destructive command
skills/rune-sentinel.md · prose · downgraded · rm -rf /
References agent configuration files
skills/rune-docs.md · code · CLAUDE.md
References agent memory files
skills/rune-cook.md · code · memory.md
Opens WebSocket connection
skills/rune-ext-ai-ml.md · code · WebSocket
Accesses sensitive environment variables
skills/rune-ext-content.md · code · process.env.ALGOLIA_ADMIN_KEY
References sudo — requests elevated privileges
skills/rune-sentinel-env.md · prose · downgraded · sudo
Popular HTTP library — network access
skills/rune-hallucination-guard.md · code · axios
References tunneling service
skills/rune-ext-zalo.md · code · ngrok
Blob URL — may embed executable content
skills/rune-graft.md · code · blob:
subprocess execution — runs system commands from Python
skills/rune-sentinel-env.md · prose · downgraded · subprocess.run(
Deno.Command — spawns subprocess in Deno runtime
skills/rune-sentinel-env.md · prose · downgraded · Deno.Command
Makes HTTP request to external URL
skills/rune-ext-content.md · code · fetch('https://
Base64 encoding/decoding
skills/rune-ext-saas.md · prose · downgraded · base64decode
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class A/B/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
Is this flag fair?
Thanks — recorded.