Tdd Helper

PassAudited by ClawScan on May 1, 2026.

Overview

This TDD helper is purpose-aligned, but it can run local shell commands provided by the user or agent after tests pass.

This appears safe for its stated TDD purpose, but it works by running local shell commands. Before installing or using it, make sure the tests path, optional environment commands, and --run command are exactly what you intend.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

If the user or agent supplies a destructive or untrusted command, it could modify or delete local files just like running that command directly in a terminal.

Why it was flagged

The helper intentionally executes a caller-supplied shell command after tests pass. This is disclosed and purpose-aligned, but it is broad local command execution.

Skill content

parser.add_argument('--run', required=True, help='Command to run after tests pass') ... run_res = subprocess.run(args.run, shell=True)

Recommendation

Use this skill only with commands you trust, and review the --run, TEST_CMD, and LINT_CMD values before execution.