Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
code-dev-pipeline 代码开发流水线
v1.0.0八人协作代码开发流水线,用于复杂代码开发任务。**必须使用此 skill 当用户要求开发代码、写程序、实现功能,或对代码质量有要求时**。特别适合: - 复杂功能开发(>50行代码、多文件、需要测试) - 需要UI/前端设计的项目(HTML/CSS/JS、React/Vue等) - 对代码质量有要求的任务(需要审...
⭐ 0· 177·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the provided instructions: this is a multi-role code development pipeline for complex projects. However the SKILL assumes use of Git, running servers/tests (uvicorn/node/browser tests), and invoking another skill (ui-ux-pro-max) — none of these runtime requirements are declared in the skill metadata (required binaries/env). That omission is an inconsistency (likely sloppy packaging) but not in itself malicious.
Instruction Scope
SKILL.md and references explicitly instruct the agent to create project directories, run git initialization/commits, spawn role workers, write many artifact files, and persist outputs (save_to_knowledge_base writes files and creates symlinks). These actions are coherent with a dev pipeline but broaden the agent's access to the filesystem and assume the ability to run commands and spawn sub-tasks. There is no instruction that reads arbitrary system configuration or secret stores, but the agent will persist data under projects/{name}/ and create symlinks.
Install Mechanism
This is an instruction-only skill with no install spec or external downloads, so nothing is written to disk by an installer. Low install risk.
Credentials
The skill declares no required environment variables or credentials (good). But the instructions expect runtime tools (git, test environments, possibly Python/Node/runtimes and browsers) and to spawn/chain other skills. The lack of declared required binaries (e.g., git) is a proportionality/packaging gap that could lead the agent to attempt operations that fail or unexpectedly access system resources.
Persistence & Privilege
The workflow explicitly saves artifacts to disk (projects/{project}/{version}/...), creates/updates a 'current' symlink, and maintains iteration history/tech-debt. The skill does not request 'always: true' nor modify other skills' configs, but it does persist files and therefore has lasting effect on the agent environment and workspace.
What to consider before installing
This skill is largely coherent with its stated purpose (a multi-role code development pipeline), but pay attention to these points before you install or enable it: 1) The documentation expects Git usage, running servers/tests (uvicorn/node/browser tests), and invoking another skill (ui-ux-pro-max) — yet the skill metadata claims no required binaries or environment; ask the author to list required tools (git, Python/Node, browsers/test runners) so you can control them. 2) The workflow writes files under projects/{name}/, creates symlinks, and persists iteration artifacts; run it in an isolated workspace or container if you don’t want these files mixed with your system. 3) The skill will invoke subprocess-like behavior (spawn role workers) and may create commits — review what the agent will commit to any Git repo before giving it access to important repositories. 4) There are no requested secrets, which is good, but be cautious about logs or example code that reference user emails or other identifiers — avoid feeding sensitive production credentials into the pipeline. 5) If you need higher assurance, ask the publisher to: (a) declare required binaries and runtimes, (b) document exactly how 'spawn' is implemented (local processes, separate agents, remote calls), and (c) provide explicit opt-outs for filesystem persistence or a configurable project root.Like a lobster shell, security has layers — review code before you run it.
latestvk9758j7h2nhznkhbsva4dc5q2183dhew
License
MIT-0
Free to use, modify, and redistribute. No attribution required.