Test Sentinel
ReviewAudited by ClawScan on May 10, 2026.
Overview
Test Sentinel looks like a legitimate testing helper, but its visible instructions allow broad automatic code edits and commits without explicit user review.
Install only if you are comfortable letting the skill read and write your project files and run Node-based test/lint commands. Use a clean branch, review diffs before accepting fixes, and do not allow automatic git add -A or commits unless you have confirmed only intended files are included.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change production source files while trying to make tests pass, not just add tests.
This authorizes autonomous source-code mutation as part of normal operation, and the visible instructions do not require approval before changing application code.
You write tests, run them, analyze failures, and fix code autonomously.
Use this only in a clean branch or disposable workspace, and require the agent to show a diff and get approval before source-code fixes.
A mistaken auto-fix could spread across many files and be persisted in repository history.
The formatter command targets the whole repository, and git add -A stages all changes, including potentially unrelated user work, before committing.
`npx next lint --fix && npx prettier --write .` ... `git add -A && git commit -m "test: fix <description>"`
Before allowing commits, review the diff, ensure the worktree is clean, and stage only files intentionally changed for the requested task.
Tests and lint commands may run local project code and dependencies.
Running local test and browser automation commands is central to the skill's purpose, but it still executes the project's Node-based tooling.
`npx vitest run && npx playwright test`
Run in a trusted project, preferably on a branch or in a container/CI environment when testing untrusted code.
Users may not be able to rely on registry metadata alone to verify the source, version, or prerequisites.
The supplied claw.json separately declares a GitHub homepage, version 1.1.0, and node/npx requirements, so the package metadata is not fully coherent.
Source: unknown; Homepage: none; Version: 0.1.2; Required binaries: none
Verify the package provenance and confirm Node/npx are expected before installing or invoking the skill.