v2.0.1

testcase-generator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:04 AM.

Analysis

The skill is purpose-aligned, but it deserves review because it uses application MySQL/Redis credentials and real data, then may generate database/cache-changing tests.

GuidanceUse this skill only with sanitized test configurations and read-only or least-privilege MySQL/Redis accounts. Review the selected tables, Redis keys, generated JSON, and any setup/teardown SQL before approving the JUnit step, and avoid pointing it at production data.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/data_reader.py

sql = f"SELECT * FROM {table_name}"
if where:
    sql += f" WHERE {where}"

SQL is constructed directly from method arguments without allowlisting or parameterization; the same file also includes a raw execute_query(sql) helper.

User impactA mistaken or overly broad table, WHERE clause, or custom SQL input could query unintended data, and raw SQL helpers are risky around privileged databases.

RecommendationRestrict this helper to allowlisted tables and read-only SELECTs, parameterize filters, and review the exact queries before running them.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

SKILL.md

| setup | 前置条件-MySQL/Redis数据准备 | INSERT/UPDATE/SET |
| teardown | 后置条件-数据清理 | DELETE/DEL |

Generated test cases are expected to include database and Redis mutation steps, and the workflow later invokes a JUnit test-generation skill after user confirmation.

User impactIf these generated tests are run against the wrong environment, they could insert, update, delete, or clear real database/cache data.

RecommendationExecute generated tests only in isolated test environments, require explicit human review of setup/teardown actions, and avoid production credentials.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/data_reader.py

安装命令: pip install pymysql

The script relies on third-party Python packages, but the skill has no install spec or pinned dependency list.

User impactUsers may install dependencies manually and could get unexpected package versions if they do not pin or verify them.

RecommendationInstall dependencies from trusted sources with pinned versions, preferably in a virtual environment.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/data_reader.py

'user': datasource.get('username', 'root'),
'password': datasource.get('password', ''),

The script extracts database account credentials from application configuration, including a root default if no username is present. This is not declared in the registry metadata as a credential or required config path.

User impactIf the supplied config points to a production or privileged database/cache, the agent can use those credentials to read sensitive service data.

RecommendationUse only non-production or read-only MySQL/Redis credentials, and declare the required config/credential handling clearly before installation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

数据读取 - 根据待测接口需求读取MySQL表数据及表结构和Redis缓存数据 ... LLM基于以下信息生成测试用例 ... 数据库表结构 ... 真实测试数据

The instructions explicitly put real database/cache data and schema into the LLM's working context for test generation, with no redaction, retention, or sensitive-field exclusion guidance.

User impactCustomer, business, token, or operational data from MySQL/Redis could be copied into model context or generated test-case files.

RecommendationRun this only on sanitized test data, limit requested tables and Redis keys, and review generated JSON for secrets or personal data before sharing or executing it.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

测试用例生成后，需要等待用户查看并确认测试用例后，才会调用junit-test-generator这个skill去执行测试用例。

The skill discloses a handoff to another skill after user confirmation; generated test cases may contain database-derived values.

User impactData included in the generated tests can be passed into another skill during the follow-on workflow.

RecommendationReview and sanitize the generated test-case file before approving the JUnit-generation step.