ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Build

v2.2.1

Execute implementation plan tasks with TDD workflow, auto-commit, and phase gates. Use when user says "build it", "start building", "execute plan", "implemen...

0· 639·0 current·0 all-time
byRust@fortunto2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (execute implementation plan with TDD, auto-commit, phase gates) match the runtime instructions: locating docs/plan, picking tasks, running tests/lints, committing, and updating progress. The declared lack of env vars/credentials and no install spec is coherent with an instruction-only repo tool.
Instruction Scope
Instructions legitimately read and modify repository files (docs/plan/*, docs/workflow.md, templates/stacks/{stack}.yaml, .solo/pipelines/progress.md, plan.md) and run local commands (make, pnpm/npm, pre-commit/husky/lefthook install, test targets). This is expected for a build executor. Note: instructions may invoke MCP tools (codegraph, project_code_search, web_search) which can send project queries to external services; review whether you want project code/metadata exposed to those external services. Also some commands in the doc (e.g., 'uv run pre-commit install') look like a possible typo — verify commands before execution.
Install Mechanism
No install spec is provided (instruction-only), so nothing will be written to disk by an installer. The runtime guidance includes advice to run package-manager commands to enable git hooks in the project; those are per-repo actions, not a global install.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However, its runtime actions may run package managers, install git hooks, and execute test/build commands that could access network resources (package registries, CI endpoints) or local config (git config). Ensure no sensitive tokens or credentials are stored in the repository or in files the skill will read.
Persistence & Privilege
always:false and no persistent install — the skill does not request elevated platform privileges. It will modify repository files (plan.md progress markers, commits) and can install project-level git hooks, which is appropriate for a build/execution skill.
Assessment
This skill will read and modify files in your repository (plan.md, workflow docs, stack yaml, progress logs), run shell commands (make, npm/pnpm, linters/tests), and may install project git hooks. It requests no secrets, but it may invoke MCP tools (code search/web search) that could send queries or metadata to external services — decide if you want your project context exposed. Before running: (1) review the referenced files (docs/plan/, docs/workflow.md, templates/stacks/*, .solo/pipelines/progress.md); (2) ensure no secrets or CI tokens are committed; (3) verify any commands the skill will run (there is a possible typo like 'uv run pre-commit install'); and (4) consider running on a branch or cloned copy so commits/hooks are reversible. If you want tighter control, restrict the skill to projects you trust or run it in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk976q8p8e9crd5rzxj27nb2bf581k1ts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔨 Clawdis

Comments