Harness Dev Standards
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make multiple project-wide edits that break behavior, remove needed packages, or make changes that are hard to review after the fact.
The skill directs the agent to make dependency and code changes automatically and continue until issues are fixed, without defining user approval, iteration limits, rollback, or containment.
出现以下问题时,自动修复,无需人工干预... 修改版本号或移除多余依赖... 应用修复策略... 重复直到问题解决
Require explicit user approval before edits, show diffs, limit changes to the selected project, keep backups or commits, and set a maximum remediation loop count.
A local process could be terminated unexpectedly, potentially causing lost work or interrupting an unrelated service using the same port.
The remediation guidance includes a force-kill command as an automatic startup-failure fix, with no instruction to confirm the target process or ask the user first.
端口被占用... 自动修复策略... 杀掉进程:kill -9 <PID>
Prefer changing the development port, identify the process clearly, and ask for user confirmation before killing anything; avoid kill -9 unless the user explicitly approves it.
Running the script may persistently change the user's global npm environment and depends on the current npm registry package contents.
The script installs an unpinned npm package globally at runtime if depcheck is missing, even though no install requirements are declared.
if ! command -v depcheck... npm install -g depcheck
Install depcheck as a pinned local devDependency, use npx with a pinned version, or ask the user before any global installation.
If used on an untrusted project, its package scripts, compiler plugins, or lint plugins could execute local code.
The quality scanner runs local project tooling and the project's build script; this is expected for a code-quality skill but still executes code/configuration from the target project.
npx tsc --noEmit... npx eslint . --ext .ts,.tsx,.js,.jsx... npm run build
Run the scanner only in trusted projects or isolated environments, and review package.json scripts before executing the quality scan.