Code Tester
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its code-testing purpose, but an included path-resolution helper can execute shell commands from a crafted project path.
Review or patch scripts/resolve_project.sh before installing, especially the eval-based path expansion. Run this skill only on trusted or sandboxed repositories, because build and test tools can execute project code and leave logs in /tmp.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental project path could run commands in the agent's local environment instead of only selecting a project to test.
The resolver evaluates a user-supplied argument with shell eval before validating it as a directory, so a crafted path-like input could execute arbitrary shell commands if this helper is used.
INPUT="$1" ... EXPANDED=$(eval echo "$INPUT")
Remove eval and use safe path handling, such as explicit $HOME expansion, realpath/readlink validation, strict workspace allowlisting, and quoted arguments.
Testing an untrusted project can run that project's build scripts, tests, plugins, or wrappers, which may modify files or access the local environment.
The skill intentionally runs language build and test tools, including a repository-supplied Gradle wrapper. This is expected for a code-testing skill, but it executes project-controlled code.
cargo test ... go test ./... mvn test ./gradlew test ./gradlew build -x test
Use this skill only on trusted or sandboxed projects, and consider timeouts or container isolation for third-party code.
The skill may fail or rely on locally installed build tools that were not declared in the registry requirements.
The metadata does not declare required binaries even though the skill's documented workflow and scripts depend on cargo, go, mvn, or gradlew. This is a disclosure/setup gap rather than hidden installation behavior.
Required binaries (all must exist): none Required binaries (at least one): none
Declare the relevant optional or required build tools in metadata, or have the skill clearly check and report missing tools before running.
Build or test output that contains sensitive details could remain in local /tmp log files after the run.
The script writes build and test output to fixed temporary log files. Similar tee usage appears across supported project types.
cargo test 2>&1 | tee /tmp/code-tester-tests.log ... cargo build 2>&1 | tee /tmp/code-tester-build.log
Avoid printing secrets in build/test logs, and consider cleaning these temporary files after reporting results.