Repo Agent Brief
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent repo-briefing skill, with ordinary cautions about running an unpinned npx package and reviewing generated briefs because they may include repository snippets.
This skill appears safe for its stated purpose. Before using it, make sure you trust the npm package being run with npx, consider pinning a version, and review generated brief files for sensitive repository content before sharing them or using them as agent context.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the command may execute package code from the npm ecosystem, so users rely on that package's provenance and current published contents.
The workflow runs an npm package through npx. This is central to the skill's purpose, but the supplied artifacts do not include the package code or a pinned version.
npx repo-agent-brief . > AGENT_BRIEF.md
Use a trusted package source, consider pinning a known version, and run it in a controlled repository environment.
The generated brief could contain sensitive code, configuration details, or repo-provided instructions that should not be blindly trusted or published.
The artifact explicitly states that generated briefs can contain repository snippets, creating local context files that may be reused by agents or shared by users.
Generated briefs may include snippets from repo context files; avoid posting publicly without review.
Review generated briefs before sharing or feeding them to another agent, and use --no-snippets when working with sensitive repositories.