Test Patterns
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing these packages can modify the project and trust code from external registries.
The skill recommends installing third-party test packages from package registries. This is purpose-aligned, but it changes the user's development environment and depends on external package provenance.
npm install -D jest ... npm install -D vitest ... pip install pytest pytest-cov
Review dependency changes, prefer pinned versions and lockfiles, and install inside the intended project or virtual environment.
Test commands may run code with local file, network, or service side effects depending on the project.
The skill documents commands that execute project test runners. This is central to a testing skill, but running tests executes local project code.
npx jest --coverage ... npx vitest --coverage
Run test commands only in trusted project directories and use isolation when testing unfamiliar code.
A copied example could introduce a race-prone temporary-file pattern.
One Python fixture example uses tempfile.mktemp, an unsafe temporary-file pattern if copied into less controlled contexts. The example is scoped to testing, so this is a low-severity guidance note rather than suspicious behavior.
path = tempfile.mktemp(suffix=".json") ... os.unlink(path)
Prefer pytest's tmp_path fixture or tempfile.NamedTemporaryFile for temporary files.