ClawHub

Sui Coverage

PassAudited by ClawScan on May 1, 2026.

Overview

The skill appears aligned with Sui Move coverage analysis, but it runs local Sui/Python tooling and may change project test files, so review its changes before committing.

This skill looks safe for its intended purpose of Sui Move coverage analysis. Install it only if you are comfortable with an agent running local Sui coverage/test commands and making test changes in your project; review file diffs and generated reports before committing.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

The agent may edit test or source-related files in the selected Move package and run local Sui test commands.

Why it was flagged

The workflow gives the agent authority to run local coverage commands, inspect source, and add tests. This matches the skill purpose, but users should expect local project changes.

Skill content
When asked to improve test coverage: ... Run analysis ... Read source ... Write tests ... Verify - Re-run coverage
Recommendation

Use it in the intended repository, keep version control enabled, and review generated tests and audit findings before committing or deploying.

Low
#ASI05: Unexpected Code Execution
What this means

Running the helper depends on the local sui binary and executes Sui coverage tooling in the chosen package directory.

Why it was flagged

The helper script executes the local Sui CLI with explicit arguments. This is expected for coverage analysis and does not show shell injection or unrelated command execution.

Skill content
os.execvp('sui', ['sui', 'move', 'coverage', 'source', '--module', module_name])
Recommendation

Run it only in trusted project directories and ensure the sui binary on PATH is the one you intend to use.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users may have less registry-level assurance about where the skill package came from.

Why it was flagged

The registry does not declare a source, while the skill references external repository information. This is not suspicious by itself, but provenance matters because users run the included Python helpers locally.

Skill content
Source: unknown; Homepage: https://github.com/EasonC13-agent/sui-coverage-demo
Recommendation

If provenance is important, compare the installed files with the referenced repository before relying on the tool.