Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Project Code Standard
v0.1.0此 skill 用于检查、执行和修复项目代码规范。当用户需要为项目建立代码风格标准、 检查代码是否符合规范、自动修复格式问题、生成代码质量报告,或在 Code Review 中验证提交是否满足团队规范时激活。支持 Python (PEP8/black/ruff)、JavaScript/ TypeScript (E...
⭐ 0· 294·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description (linting/formatting for Python and JS/TS) matches the runtime commands (ruff, eslint, black, prettier) and the described flows. However, SKILL.md repeatedly references helper scripts (e.g., python scripts/check_python.py, scripts/check_js.py, scripts/check_general.py) and an assets/ directory for templates that are NOT provided by the skill package. It's unclear whether those scripts are expected to already exist in the user's project, provided by a separate install step, or omitted — this is an inconsistency between claimed capability and what's actually packaged.
Instruction Scope
Instructions stay within the domain of code-quality checks (inspect repo root, run linters, optionally fix files, produce a markdown report). They explicitly say to avoid overwriting existing configs and to ask user confirmation before automatic fixes, which is good. But the instructions direct the agent to execute arbitrary scripts from the project's scripts/ path (if present). Running project-local scripts means the agent could execute arbitrary repository code — functionally relevant but a potentially risky action that the SKILL.md does not advise the user to inspect first.
Install Mechanism
No install spec is provided (instruction-only), which reduces the skill's ability to write files or pull code on install. However, the runtime assumes external tools (ruff, black, eslint, prettier) and non-existent local helper scripts/assets. Because there is no guidance to install these tools from trusted sources or to verify the helper scripts before execution, there is operational ambiguity and a modest risk if the agent runs commands in a repository with untrusted code.
Credentials
The skill requests no environment variables, credentials, or config paths. There are no disproportionate credential demands relative to the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent privileges. Autonomous invocation is allowed by default but is expected for this type of skill. There is no indication the skill modifies other skills or system-wide settings.
What to consider before installing
This SKILL.md describes reasonable code-quality actions, but it does not include the helper scripts or assets it references. Before installing or invoking the skill, verify where scripts/check_python.py, scripts/check_js.py, scripts/check_general.py and the assets/ templates are expected to come from. If the agent will execute scripts inside your repository, inspect those scripts manually first (or run the skill in a sandboxed copy of the repo). Ensure linters (ruff, black, eslint, prettier) are installed from trusted sources. Be especially cautious about allowing automatic fixes: confirm the skill asks for explicit user permission before modifying files, and consider disabling autonomous execution of fix steps until you have reviewed the tooling and scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk971r5rxdwkk1rt6sjp2pmxv19828ngf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.