ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gen Test Plan

v1.0.0

Analyze repo, detect stack, trace changes to user-facing entry points, generate E2E YAML test plan

0· 57·1 current·1 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (generate E2E test plans from repo diffs) matches the SKILL.md intent. However, the instructions require interacting with build artifacts, databases, local servers, and an `agent-browser` CLI — none of which are declared in the skill's manifest (no required binaries, no required env vars). The capability-to-requirement mapping is incomplete.
!
Instruction Scope
SKILL.md contains many concrete runtime actions (git commands, grep, starting servers, curl, psql, agent-browser, docker-compose, building binaries, querying DATABASE_URL, examples referencing ANTHROPIC_API_KEY). Those are within an E2E testing scope, but they read and act on local system state and credentials that the skill did not declare, and could cause actual side effects if executed. The instructions do not attempt to limit or sandbox those operations.
Install Mechanism
Instruction-only skill with no install spec and no code files — low supply-chain/install risk. Nothing will be downloaded or written by an installer step.
!
Credentials
The document explicitly references environment values and external tools (e.g., DATABASE_URL, ANTHROPIC_API_KEY, psql, agent-browser) and expects the agent to interact with databases and services, yet the manifest declares zero required env vars or binaries. This mismatch risks accidental use of sensitive credentials or missing prerequisites at runtime.
Persistence & Privilege
always:false and disable-model-invocation:true reduce autonomous risk (the model won't invoke this skill autonomously). The skill does not request persistent agent-wide privileges or modify other skills. No elevated 'always' privilege is requested.
What to consider before installing
This skill looks like a legitimate E2E test-plan generator, but it assumes it can read the repo, discover ports, build/run binaries, access databases, and use tools like psql and agent-browser — yet it doesn't declare any required binaries or environment variables. Before installing or using it: 1) Ask the author to list required CLIs (git, grep, curl, psql, docker-compose, agent-browser, build toolchains) and required env vars (DATABASE_URL, any API keys) in the manifest. 2) Inspect any generated test-plan.yaml before running it; run tests only in an isolated environment or a disposable test database to avoid leaking secrets or modifying production data. 3) Confirm that you or your CI will provide the credentials and tooling the plan expects, and that those credentials are scoped to a safe test environment. 4) If you need higher assurance, request the author add a minimal `requires` section declaring binaries and env vars so the platform can surface missing prerequisites and you can audit them first.

Like a lobster shell, security has layers — review code before you run it.

latestvk972a59f6syzd958c61xh70m9d84n5vf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments