skill测试
ReviewAudited by ClawScan on May 11, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This appears safe for static Skill documentation reviews. Install it only if you are comfortable with it reading the specific Skill files you ask it to evaluate, and do not let the dynamic-testing reference run commands or use credentials unless you explicitly want that separate testing workflow. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may inspect local Skill documentation and directory names while preparing an evaluation.
The skill instructs the agent to read target Skill documentation and list related directories. This is read-only and aligned with documentation evaluation, but it still touches local Skill files.
第 1 步: 读取 Skill 内容 ... read /path/to/skill/SKILL.md ... ls /path/to/skill/references/ ... ls /path/to/skill/scripts/
Use it on specific Skill folders you intend to review, and avoid pointing it at unrelated private directories.
If a user deliberately follows the dynamic-testing guide, commands from another Skill could run locally.
A reference document describes dynamic testing by running target Skill commands. The main SKILL.md says this evaluator is static-only and must not execute code, so this reference should not be treated as the default workflow.
Step 3: 执行测试 ... cd $SKILL_PATH ... node scripts/index.js quote sh600519 ... OUTPUT=$(node scripts/index.js quote sh600519 2>&1)
Keep normal use to static analysis. Only run dynamic tests with explicit user approval, a test environment, and a clear understanding of the target Skill's side effects.
Dynamic testing could involve provider or internal credentials for the Skill being tested.
The dynamic-testing reference discusses API keys and authentication for tested Skills. This is not required by the evaluator's static mode, but it is sensitive if a user chooses to perform dynamic tests.
Q2: 测试需要 API Key 或认证怎么办? ... 在测试前询问用户 ... 认证方式: TAI_IT_TOKEN (自动注入)
Do not provide credentials for this evaluator's static review. If dynamic testing is intentionally performed, use test credentials and confirm exactly which service will receive them.