← 返回 Skills 市场
Reckit
作者
christiancattaneo
· GitHub ↗
· v2.4.0
631
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install wreckit-ralph
功能描述
Bulletproof AI code verification. The agent IS the engine — no external tools required. Spawns parallel verification workers that slop-scan, type-check, muta...
安全使用建议
This skill mostly does what it says (a multi-gate verification framework) but has several red flags you should handle before installing or running it:
1) Source/provenance: The skill source/homepage are unknown. Prefer skills with a traceable repo and maintainer.
2) Audit the scripts first: review scripts/* and assets/dashboard/server.mjs for any network endpoints, telemetry, or destructive file operations before running. The package contains many shell scripts that will be executed — read them.
3) Telemetry: locate scripts/telemetry.sh and grep for network POST/PUT/ curl/ fetch calls. If telemetry is present, ask what is sent and to where; disable it if you don't want data leaving your host.
4) Run in a sandbox: initially run the skill in an isolated environment (container, disposable VM, or a dedicated non-sensitive workspace) because it will scan project directories (default ~/Projects) and can write .wreckit/ and generated CI files.
5) Tooling expectations: it attempts to detect and (optionally) invoke external tools (stryker, mutmut, valgrind, etc.). Ensure you understand and control what it will install or execute; prefer installing required tools yourself in a controlled way or rely on the AI fallbacks only after inspection.
6) Agent config & spawning: it asks for agent subagent spawning (maxSpawnDepth, children limits). Only enable these features if you understand the platform subagent model and are comfortable with autonomous subagent execution.
7) Least privilege: avoid running this skill on systems with secrets, credentials, or production data. If you must audit sensitive repos, isolate them and disable any telemetry/network calls.
If you want, I can: (A) scan the scripts for network calls and list lines that call curl/fetch/sockets/telemetry, (B) summarize what each script will modify on disk, or (C) produce a minimal safe-run checklist (commands to run the skill in a container and what to mount).
功能分析
Type: OpenClaw Skill
Name: wreckit-ralph
Version: 2.4.0
The wreckit-ralph bundle is a highly sophisticated and comprehensive defensive security auditing suite designed to verify AI-generated code. It includes a wide array of scripts for Static Application Security Testing (red-team.sh), dependency hallucination detection (check-deps.sh), mutation testing, and dynamic analysis. While the bundle requires high-privilege execution (shell access) to run project tests and build tools, its logic is consistently aligned with its stated purpose of code verification and quality assurance. The documentation (SKILL.md) includes specific 'Anti-Fabrication' protocols to prevent AI agents from hallucinating results, and the 'Codex CLI' notes, while suggesting high-risk sandbox bypasses for specific environments, are framed as technical workarounds rather than malicious intent.
能力评估
Purpose & Capability
The name/description (bulletproof code verification, agent-driven) aligns with the included scripts and gate docs (mutation testing, type checks, fuzzing, SAST). However the description explicitly claims "no external tools required" while many scripts detect/expect external tools (Stryker, mutmut, valgrind/ASAN, go test -race, etc.) and will call network registries (check-deps). The registry metadata declares no required binaries/env but the runtime clearly uses HOME and may call out to package managers and remote registries. This inconsistency (claimed zero external dependencies vs. many optional/required tool paths) is unexplained and increases risk.
Instruction Scope
SKILL.md and the scripts instruct the agent to read and operate on a project's filesystem (golden fixtures, .wreckit/, IMPLEMENTATION_PLAN.md, tests, CI files) which is expected for a verifier. But the included dashboard/server will auto-scan ~/Projects (or a user-supplied watch dir) and aggregate .wreckit/dashboard.json across multiple projects — a broad filesystem sweep that could read many repos. The repo also contains telemetry.sh and references to telemetry in scripts/run-all-gates.sh; SKILL.md doesn't declare any external telemetry endpoints or what data is sent. The orchestrator/swarm model expects spawning subagents and changing agent config (agents.defaults.subagents), which grants the skill broad runtime reach; instructions that spawn parallel workers and run arbitrary analysis increase the surface for accidental/exfiltrative behavior if not sandboxed.
Install Mechanism
There is no install spec (instruction-only), which avoids an automatic network download/install step. All runnable artifacts are included as scripts and assets in the skill bundle. This reduces supply-chain download risk, but means executing the skill will run local shell scripts and Node code supplied by the skill — those scripts must be audited before execution.
Credentials
Registry metadata lists no required environment variables or credentials, yet SDKs/scripts implicitly use environment data (process.env.HOME in the dashboard server), and many gates/scripts will probe the host for installed tools and networks (npm, pip, cargo, valgrind, Stryker, registries). The skill also provides a telemetry script but does not declare telemetry endpoints or ask explicit permission. Requiring modification of agent config (agents.defaults.subagents) to enable spawning is another effective capability change not represented in the declared environment/permissions.
Persistence & Privilege
The skill is not force-included (always:false) and does not declare elevated privileges. It does, however, expect the orchestrator/subagent capability (sessions_spawn and maxSpawnDepth >= 2) and instructs the user to set agent config. The skill includes scripts that can write files into a repo (e.g., generated CI workflow, .wreckit proof bundles). These behaviors are normal for a build/audit tool but mean the skill will create files in scanned repos if run — run it in a controlled/sandboxed workspace if you don't want repo mutation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wreckit-ralph - 安装完成后,直接呼叫该 Skill 的名称或使用
/wreckit-ralph触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.4.0
Swift/iOS support: type-check (swift build + xcodebuild), mutation testing (AI-estimated, always CAUTION), SPM dependency audit, improved stack detection (SPM/CocoaPods/Carthage/xcworkspace). Site claims hardened: removed overclaimed SHA-256 signing, corroboration threshold corrected to 2+. Renamed to Reckit.
v2.3.2
Added llms.txt for agent discoverability; 24 verification scripts stable
v1.0.1
Add mutation-test.sh, slop-scan.sh scripts. Fix detect-stack for node --test. Tested on whackamole + midas-mcp.
v1.0.0
Initial release: 11 verification gates, swarm architecture, 14-step framework, language-agnostic AI code verification
元数据
常见问题
Reckit 是什么?
Bulletproof AI code verification. The agent IS the engine — no external tools required. Spawns parallel verification workers that slop-scan, type-check, muta... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 631 次。
如何安装 Reckit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wreckit-ralph」即可一键安装,无需额外配置。
Reckit 是免费的吗?
是的,Reckit 完全免费(开源免费),可自由下载、安装和使用。
Reckit 支持哪些平台?
Reckit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Reckit?
由 christiancattaneo(@christiancattaneo)开发并维护,当前版本 v2.4.0。
推荐 Skills