ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Manual QA

v1.0.0

Generate a manual QA checklist from code changes. Use when the user wants to test a PR, commit, branch, or staged changes — or says "QA this", "test plan", "...

0· 87·0 current·0 all-time
by@felipefreitag
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md explicitly instructs the agent to run git and GitHub CLI commands (gh pr diff, git show, git diff, etc.) and to detect project test commands (package.json, Makefile). However, the skill metadata lists no required binaries or credentials. Either the metadata is incomplete (omitted needed tools/creds) or the instructions assume capabilities the environment may not provide.
Instruction Scope
The runtime instructions stay within the stated purpose (generate a QA checklist from code changes and offer to run agent-testable steps). They explicitly limit scope (only run steps relevant to the diff, prefer targeted tests). The instructions do require reading repository files and running commands locally or calling APIs, which is reasonable for this purpose.
Install Mechanism
There is no install spec (instruction-only), so nothing is written to disk by the skill itself. This is lower risk and consistent with an instruction-only QA helper.
!
Credentials
Although the skill declares no required environment variables, the instructions implicitly require authenticated access to GitHub (gh CLI) for PR diffs and may need network access for curl/API calls. The absence of declared credentials (e.g., GH_TOKEN or gh auth) is a proportionality mismatch that could hide implicit credential needs.
Persistence & Privilege
The skill is not marked always:true and does not request persistent presence or modify other skills' configs. Autonomous invocation is allowed (the platform default); that is expected for a tool that can run commands, but users should be aware the agent could execute terminal steps if permitted.
What to consider before installing
This skill's instructions are coherent for generating QA checklists, but the metadata omits practical requirements. Before installing or invoking it: 1) Verify the runtime environment has git and the GitHub CLI (gh) if you expect PR diff support; otherwise the agent will fail on PR URLs. 2) Understand that using gh pr diff or API calls typically requires GitHub authentication (gh auth or a token); the skill does not declare or request credentials — decide how you'll provide them and whether that's acceptable. 3) Be prepared for the agent to read repository files and run commands/tests if you accept its offer to "run 🤖 steps"; run such actions in a safe or CI-like environment if you have security concerns. 4) If you want to proceed, ask the skill author (or update the metadata) to declare required binaries and any environment variables (e.g., GITHUB_TOKEN) so you can evaluate permission needs accurately.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vq550s5dhm4bq5zf0mb08n84hkkk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments