Test Patterns
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: test-patterns Version: 1.0.0 The skill is classified as suspicious due to the inherent high-risk nature of its core functionality and the inclusion of powerful shell primitives. The `SKILL.md` provides extensive examples of executing shell commands and code in various languages (Node.js, Python, Go, Rust, Bash), which is explicitly declared in the `requires` metadata (`anyBins: ['node', 'python3', 'go', 'cargo', 'bash']`). While this aligns with the stated purpose of 'running tests across languages', it grants broad system access. Specifically, the Bash test runner example includes `eval "$cmd"`, a dangerous primitive that, while presented as a template with benign examples, could lead to arbitrary command execution if the agent were to use it with untrusted input or if the skill were modified to inject malicious commands into `$cmd`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing these packages can modify the project and trust code from external registries.
The skill recommends installing third-party test packages from package registries. This is purpose-aligned, but it changes the user's development environment and depends on external package provenance.
npm install -D jest ... npm install -D vitest ... pip install pytest pytest-cov
Review dependency changes, prefer pinned versions and lockfiles, and install inside the intended project or virtual environment.
Test commands may run code with local file, network, or service side effects depending on the project.
The skill documents commands that execute project test runners. This is central to a testing skill, but running tests executes local project code.
npx jest --coverage ... npx vitest --coverage
Run test commands only in trusted project directories and use isolation when testing unfamiliar code.
A copied example could introduce a race-prone temporary-file pattern.
One Python fixture example uses tempfile.mktemp, an unsafe temporary-file pattern if copied into less controlled contexts. The example is scoped to testing, so this is a low-severity guidance note rather than suspicious behavior.
path = tempfile.mktemp(suffix=".json") ... os.unlink(path)
Prefer pytest's tmp_path fixture or tempfile.NamedTemporaryFile for temporary files.