← Back to Skills Marketplace
Reckit
by
christiancattaneo
· GitHub ↗
· v2.4.0
631
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install wreckit-ralph
Description
Bulletproof AI code verification. The agent IS the engine — no external tools required. Spawns parallel verification workers that slop-scan, type-check, muta...
Usage Guidance
This skill mostly does what it says (a multi-gate verification framework) but has several red flags you should handle before installing or running it:
1) Source/provenance: The skill source/homepage are unknown. Prefer skills with a traceable repo and maintainer.
2) Audit the scripts first: review scripts/* and assets/dashboard/server.mjs for any network endpoints, telemetry, or destructive file operations before running. The package contains many shell scripts that will be executed — read them.
3) Telemetry: locate scripts/telemetry.sh and grep for network POST/PUT/ curl/ fetch calls. If telemetry is present, ask what is sent and to where; disable it if you don't want data leaving your host.
4) Run in a sandbox: initially run the skill in an isolated environment (container, disposable VM, or a dedicated non-sensitive workspace) because it will scan project directories (default ~/Projects) and can write .wreckit/ and generated CI files.
5) Tooling expectations: it attempts to detect and (optionally) invoke external tools (stryker, mutmut, valgrind, etc.). Ensure you understand and control what it will install or execute; prefer installing required tools yourself in a controlled way or rely on the AI fallbacks only after inspection.
6) Agent config & spawning: it asks for agent subagent spawning (maxSpawnDepth, children limits). Only enable these features if you understand the platform subagent model and are comfortable with autonomous subagent execution.
7) Least privilege: avoid running this skill on systems with secrets, credentials, or production data. If you must audit sensitive repos, isolate them and disable any telemetry/network calls.
If you want, I can: (A) scan the scripts for network calls and list lines that call curl/fetch/sockets/telemetry, (B) summarize what each script will modify on disk, or (C) produce a minimal safe-run checklist (commands to run the skill in a container and what to mount).
Capability Analysis
Type: OpenClaw Skill
Name: wreckit-ralph
Version: 2.4.0
The wreckit-ralph bundle is a highly sophisticated and comprehensive defensive security auditing suite designed to verify AI-generated code. It includes a wide array of scripts for Static Application Security Testing (red-team.sh), dependency hallucination detection (check-deps.sh), mutation testing, and dynamic analysis. While the bundle requires high-privilege execution (shell access) to run project tests and build tools, its logic is consistently aligned with its stated purpose of code verification and quality assurance. The documentation (SKILL.md) includes specific 'Anti-Fabrication' protocols to prevent AI agents from hallucinating results, and the 'Codex CLI' notes, while suggesting high-risk sandbox bypasses for specific environments, are framed as technical workarounds rather than malicious intent.
Capability Assessment
Purpose & Capability
The name/description (bulletproof code verification, agent-driven) aligns with the included scripts and gate docs (mutation testing, type checks, fuzzing, SAST). However the description explicitly claims "no external tools required" while many scripts detect/expect external tools (Stryker, mutmut, valgrind/ASAN, go test -race, etc.) and will call network registries (check-deps). The registry metadata declares no required binaries/env but the runtime clearly uses HOME and may call out to package managers and remote registries. This inconsistency (claimed zero external dependencies vs. many optional/required tool paths) is unexplained and increases risk.
Instruction Scope
SKILL.md and the scripts instruct the agent to read and operate on a project's filesystem (golden fixtures, .wreckit/, IMPLEMENTATION_PLAN.md, tests, CI files) which is expected for a verifier. But the included dashboard/server will auto-scan ~/Projects (or a user-supplied watch dir) and aggregate .wreckit/dashboard.json across multiple projects — a broad filesystem sweep that could read many repos. The repo also contains telemetry.sh and references to telemetry in scripts/run-all-gates.sh; SKILL.md doesn't declare any external telemetry endpoints or what data is sent. The orchestrator/swarm model expects spawning subagents and changing agent config (agents.defaults.subagents), which grants the skill broad runtime reach; instructions that spawn parallel workers and run arbitrary analysis increase the surface for accidental/exfiltrative behavior if not sandboxed.
Install Mechanism
There is no install spec (instruction-only), which avoids an automatic network download/install step. All runnable artifacts are included as scripts and assets in the skill bundle. This reduces supply-chain download risk, but means executing the skill will run local shell scripts and Node code supplied by the skill — those scripts must be audited before execution.
Credentials
Registry metadata lists no required environment variables or credentials, yet SDKs/scripts implicitly use environment data (process.env.HOME in the dashboard server), and many gates/scripts will probe the host for installed tools and networks (npm, pip, cargo, valgrind, Stryker, registries). The skill also provides a telemetry script but does not declare telemetry endpoints or ask explicit permission. Requiring modification of agent config (agents.defaults.subagents) to enable spawning is another effective capability change not represented in the declared environment/permissions.
Persistence & Privilege
The skill is not force-included (always:false) and does not declare elevated privileges. It does, however, expect the orchestrator/subagent capability (sessions_spawn and maxSpawnDepth >= 2) and instructs the user to set agent config. The skill includes scripts that can write files into a repo (e.g., generated CI workflow, .wreckit proof bundles). These behaviors are normal for a build/audit tool but mean the skill will create files in scanned repos if run — run it in a controlled/sandboxed workspace if you don't want repo mutation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wreckit-ralph - After installation, invoke the skill by name or use
/wreckit-ralph - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.4.0
Swift/iOS support: type-check (swift build + xcodebuild), mutation testing (AI-estimated, always CAUTION), SPM dependency audit, improved stack detection (SPM/CocoaPods/Carthage/xcworkspace). Site claims hardened: removed overclaimed SHA-256 signing, corroboration threshold corrected to 2+. Renamed to Reckit.
v2.3.2
Added llms.txt for agent discoverability; 24 verification scripts stable
v1.0.1
Add mutation-test.sh, slop-scan.sh scripts. Fix detect-stack for node --test. Tested on whackamole + midas-mcp.
v1.0.0
Initial release: 11 verification gates, swarm architecture, 14-step framework, language-agnostic AI code verification
Metadata
Frequently Asked Questions
What is Reckit?
Bulletproof AI code verification. The agent IS the engine — no external tools required. Spawns parallel verification workers that slop-scan, type-check, muta... It is an AI Agent Skill for Claude Code / OpenClaw, with 631 downloads so far.
How do I install Reckit?
Run "/install wreckit-ralph" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Reckit free?
Yes, Reckit is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Reckit support?
Reckit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Reckit?
It is built and maintained by christiancattaneo (@christiancattaneo); the current version is v2.4.0.
More Skills