Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the contents: the SKILL.md describes an orchestrated dev workflow that delegates work to version-manager, project-manager, and dev-pipeline. There are no unrelated environment variables, binaries, or install steps required by this skill itself.
Instruction Scope
All runtime actions in SKILL.md are calls to the listed dependent skills and operations on project-local paths (versions/... and .dev-workflow/config.json). The instructions do reference reading/writing project files, creating backups, and deploying, which are appropriate for a deployment workflow. Note: the policy that forbids manual code edits ("禁止手动改代码") is an operational constraint the user should be aware of — it is intentional behavior rather than scope creep.
Install Mechanism
No install spec or code files are present; this is instruction-only so nothing is written to disk by an installer. This is the lowest-risk install posture.
Credentials
The skill declares no required environment variables, credentials, or config paths. However, many runtime actions (backups, deploys) will rely on the dependent skills; those other skills may require secrets/credentials (e.g., SSH keys, cloud credentials). Verify dependencies' requirements before use.
Persistence & Privilege
always is false and there is no request for permanent privileged presence. The skill does orchestrate actions that may affect production (deploy, backup), but it does not itself gain elevated platform privileges or modify other skills' configurations.
Scan Findings in Context
[no-code-files-to-scan] expected: The static scanner found nothing because this skill is instruction-only (only SKILL.md). That's expected; review runtime instructions rather than scanner output.
Assessment
This skill is a coherent workflow wrapper, but before installing you should: 1) inspect and trust the three dependent skills (version-manager, project-manager, dev-pipeline) because they will perform the real work and may require credentials or network access; 2) confirm where backups are stored and who can trigger deploys/rollbacks (ensure they won't reach production unexpectedly); 3) be aware the workflow enforces 'no manual code edits' — if you need manual changes that may conflict; 4) test the workflow in a safe staging environment first to verify which credentials and endpoints the dependent skills use; and 5) ask the publisher for a homepage/source or provenance information if you need stronger assurance about safety or maintenance.Like a lobster shell, security has layers — review code before you run it.
latestvk9797094hr0eebn3b1v8k0zn3n823gre
License
MIT-0
Free to use, modify, and redistribute. No attribution required.