ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dev Task

v1.0.1

开发项目任务管理,支持版本化开发流程。当用户需要启动开发任务、创建新版本、管理项目版本文档时使用。每次启动开发任务必须向用户确认版本编号,按版本号管理代码、开发文档、需求文档、发布配置。严格执行版本归档纪律,封版必须立即归档完整代码和文档。

0· 528·3 current·3 all-time
by@cwyhkyochen-a11y
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (versioned development task management) matches the included SKILL.md, templates, and init-version.sh script. Required actions (mkdir, cp, sed, copying project files, updating docs, pm2/npm references for deployment) are proportional to the stated purpose.
Instruction Scope
Runtime instructions confine themselves to local project operations: checking/creating versions/, copying templates, archiving project files, and local rollback/deploy steps. No instructions attempt to read unrelated system config, network endpoints, or secrets. Deployment notes mention systemctl/pm2/npm which are relevant to deployment tasks but are only documentation/commands the user would run.
Install Mechanism
No install spec — instruction-only plus a small helper script (scripts/init-version.sh). The script is straightforward: it validates args, copies templates, replaces placeholders, and backs up project files. No downloads, extract steps, or external URLs are executed by the skill itself.
Credentials
The skill declares no required environment variables or credentials. Templates reference editing a .env in deployment documentation, which is expected for deployment instructions but not requested by the skill. Nothing asks for unrelated secrets or cloud credentials.
Persistence & Privilege
always:false and no code attempts to persist across agents or modify other skills. The skill operates on user-supplied project paths and does not register itself for permanent/autonomous elevation.
Assessment
This skill appears coherent and focused on local version/archival workflows. Before using: (1) run init-version.sh with the correct project path to avoid accidental copies/overwrites; (2) inspect versions/ after a run to confirm only intended files were copied (the script will copy src/public/package files and may include secrets if they exist in the project); (3) be cautious with the deployment instructions that suggest running systemctl as root or pm2/npm commands — those require appropriate privileges and operational review; (4) note sed -i usage may behave differently on macOS (BSD sed) and cp may overwrite files — test in a safe environment or a backup branch first. There are no signs of network exfiltration or hidden endpoints in the included files.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ead57k0zshrk87r2ghy061823wbr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments