← Back to Skills Marketplace
334
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install runtime-debugging-skill
Description
Diagnose and fix bugs using runtime execution traces. Use when debugging errors, analyzing failures, or finding root causes in Python, Node.js, or Java appli...
Usage Guidance
Key things to consider before installing or following these instructions:
- Source verification: There is no homepage or clear publisher provenance. Verify the upstream project/repo (Syncause) and its maintainers before running any installers.
- Don’t run remote installers blindly: Inspect any shell script downloaded via curl|bash and review the contents of packages pulled by npx/@syncause and the wheel URL before executing or adding them to your project.
- Avoid global config edits unless you understand them: The MCP install docs propose writing to many project and global IDE files (~/.vscode, ~/.claude, ~/.codex, etc.). Prefer project-level, reviewable changes and avoid modifying global user configs without consent.
- Secrets handling: The docs show placing API_KEY and other tokens into configs and even include hard-coded tokens in the Java example. Do not commit secrets into repo files. Ask the author why example tokens are present and replace with secure secret storage (env vars, secret managers) and ensure tokens are rotated if they were ever published.
- Prefer pinned versions and reproducible installs: Unpinned 'latest' npx installs and curl|bash patterns are risky. Ask for SHA-verified releases or package-versioned installs instead.
- Code modifications: The skill instructs injecting initialization code into entrypoints and generating a manual installation patch (with advice to avoid git diff). This is unusual; insist on clear diffs and code-reviewable commits so changes are auditable and reversible.
If you decide to proceed for testing, do so in an isolated environment (ephemeral VM/container) and audit the downloaded artifacts first. If you can, request the publisher to declare required env vars and provide verifiable release artifacts (GitHub repo + signed release, or published packages with pinned versions) and remove any hard-coded tokens from documentation.
Capability Analysis
Type: OpenClaw Skill
Name: runtime-debugging-skill
Version: 0.1.0
The skill bundle is classified as suspicious due to several high-risk security practices and invasive requirements. It instructs the agent to install a 'Syncause SDK' using insecure methods, including a 'curl | bash' command in 'references/install/nodejs.md' and the use of hardcoded GitHub Personal Access Tokens (PATs) in 'references/install/java.md' to access private repositories. The SDK utilizes bytecode manipulation and runtime tracing to send application data to a remote websocket (wss://api.syn-cause.com). While these capabilities are framed as debugging features, the combination of hardcoded credentials, remote script execution, and instructions in 'SKILL.md' to manipulate the agent's reporting behavior presents a significant security risk and potential for abuse.
Capability Assessment
Purpose & Capability
The skill is clearly an instrumentation-based debugger: it instructs adding an SDK, instrumenting application entry points, and running an MCP debug server to collect traces — which is coherent with the stated purpose. However, the installation guidance requires modifying many project and global editor config files (VSCode, Claude, Codex, Gemini, various dotfiles) and running remote installers, which is broader than a minimal debugger and may be unnecessary for many users. Additionally, the Java guide embeds what look like GitHub package tokens directly in the example pom.xml — a disproportionate and suspicious artifact for a simple debug helper.
Instruction Scope
The SKILL.md and reference guides instruct the agent (or user) to: edit project entrypoints to inject init code, create test files and helper scripts, add persistent MCP server config to multiple global/project-level IDE settings, and run reproduction scripts. They also instruct to stop on 'Unauthorized' and configure API_KEY, but the skill metadata declares no required env vars. The guidance to avoid using 'git diff' and instead generate an .syncause/installation.patch manually is unusual and could be used to hide or obscure changes. Overall the instructions allow broad file edits and persistent config changes beyond ephemeral debugging, and they advocate executing remote scripts and packages.
Install Mechanism
There is no packaged install spec in the skill bundle, but the referenced install docs instruct running remote installers: curl|bash from raw.githubusercontent.com, npx -y @syncause/debug-mcp@latest, and adding a Python wheel URL hosted on GitHub releases. curl|bash and unpinned 'npx -y ...@latest' are high-risk (remote code fetched and executed without content review or version pinning). The Java instructions include configuring a GitHub Packages repository with what appear to be embedded tokens. These mechanisms are legitimate for some SDKs, but given their unpinned, remote-execution nature they are high risk.
Credentials
The skill metadata declares no required environment variables or credentials, yet the instructions repeatedly require an API_KEY, projectId, and appName; the MCP login mode shows placing API_KEY into mcp server configs. Worse, the Java guide contains two hard-coded-looking tokens (syncause.repo.token.p1/p2) embedded in sample pom.xml properties. This mismatch (no declared env vars vs many secret-bearing placeholders and example tokens) is a significant proportionality concern.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only, which is appropriate. However, the instructions require persistent changes: adding SDK initialization to application entrypoints, adding MCP server definitions to various global and project IDE settings, and recommending creation of a .syncause folder/installation.patch. Those persistent modifications increase long-term privilege and attack surface (the MCP server runs via npx and may persist in editor configs). This is not automatically malicious but is more invasive than a transient debugging helper.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install runtime-debugging-skill - After installation, invoke the skill by name or use
/runtime-debugging-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
syncause-debugger v0.1.0
- Initial release of Syncause Debugger skill for diagnosing bugs using runtime execution traces in Python, Node.js, and Java applications.
- Includes a structured 4-phase debugging workflow: Setup, Analyze, Summary, and Teardown.
- Provides detailed steps and checks for project/server setup, SDK installation, bug reproduction hierarchy, and test script best practices.
- Introduces runtime trace verification checklists and a "Reproduction Quality Gate" before analysis.
- Documents recommended usage of MCP tools for trace search, inspection, and diffing.
- Emphasizes evidence-based reasoning by attributing findings to live trace data.
Metadata
Frequently Asked Questions
What is Runtime Debugging Skill?
Diagnose and fix bugs using runtime execution traces. Use when debugging errors, analyzing failures, or finding root causes in Python, Node.js, or Java appli... It is an AI Agent Skill for Claude Code / OpenClaw, with 334 downloads so far.
How do I install Runtime Debugging Skill?
Run "/install runtime-debugging-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Runtime Debugging Skill free?
Yes, Runtime Debugging Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Runtime Debugging Skill support?
Runtime Debugging Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Runtime Debugging Skill?
It is built and maintained by dxsup (@dxsup); the current version is v0.1.0.
More Skills