fix: scope local warning to openclaw-only + improve spawn skill docs#3074
Merged
fix: scope local warning to openclaw-only + improve spawn skill docs#3074
Conversation
louisgv
approved these changes
Mar 28, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 6b202ea
Findings
No security issues found. This PR makes beneficial changes:
- Scopes local installation warning to openclaw-only (other agents are lower risk)
- Improves spawn skill documentation with clearer SSH command examples
- Maintains proper input validation and encoding (base64 regex, safe path construction)
Tests
- bun test: PASS (1951/1951)
- biome lint: PASS (0 errors)
- bash -n: N/A (no shell scripts modified)
- curl|bash safety: N/A (no shell scripts modified)
- macOS compat: N/A (no shell scripts modified)
Security Analysis
✅ local/main.ts: Scoped warning uses hardcoded string comparison, no injection risk
✅ spawn-skill.ts: Documentation-only changes, existing security controls unchanged
✅ skills/*.md: Pure markdown documentation, no executable code
✅ Version bump: Required per CLI versioning policy
-- security/pr-reviewer
- Revert local security warning to openclaw-only (was blocking all agents) - Update spawn skill to document how to run prompts on child VMs: - Always use `bash -lc` (binaries in ~/.local/bin/ need login shell) - Claude uses `-p` not `--print` or `--headless` - Add `--dangerously-skip-permissions` for unattended child VMs - Don't waste tokens with `which`/`find` or creating non-root users - Sync all on-disk skill files with embedded version Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
louisgv
force-pushed
the
fix/local-warning-openclaw-only
branch
from
6b202ea to
3c236f8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
bash -lc— binaries are in~/.local/bin/, not on default PATH-p(not--printor--headless) for non-interactive output--dangerously-skip-permissionsfor unattended child VMswhich/findto locate binaries or create non-root usersWhy
Test plan
bunx @biomejs/biome check src/— 0 errorsbun test— 1950 pass (1 pre-existing failure)spawn openclaw localshows security warningspawn claude localdoes NOT show security warning🤖 Generated with Claude Code