Simple Code
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only coding skill is coherent and purpose-aligned, but users should know it can edit project files, delegate work to a coding sub-agent, and keep local untracked step logs.
This looks safe to install for small coding tasks. Before using it, choose the project path carefully, use version control, say whether review mode should avoid making changes, and be aware that `.steps/` logs and delegated model work may include project context.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may change files in the selected project folder as part of normal use.
The skill is intended to perform coding work and therefore may create or modify local project files. This is purpose-aligned, but users should understand it is not review-only unless they specify that.
do the real work in the project folder: implementation, review, testing, bug-fixing, documentation, and `.steps/` tracking
Use it inside the intended project directory, keep version control or backups, and specify 'review only, do not patch' if you only want feedback.
Local step logs may contain task details or summaries that remain on disk but are not committed to the repository.
The skill creates persistent local task-tracking records that are intentionally excluded from git. This is disclosed and purpose-aligned, but it can retain project details outside normal version-control review.
record the work in `.steps/` ... Initialize or update `.gitignore` if needed so `.steps/` and everything under it are ignored.
Review or clear `.steps/` if it may contain sensitive project information, and avoid putting secrets into prompts or project notes.
Project instructions and relevant code may be shared with the delegated coding sub-agent/model during normal use.
The skill explicitly delegates work to another coding agent/model. This is central to the skill's design, but the artifacts do not further define data boundaries for what project context is shared with that sub-agent.
Spawn a coding sub-agent and prefer the model `openai-codex/gpt-5.3-codex` by default unless the user asks for something else.
Use it only with code and context appropriate for the configured model/provider, or specify a different model/delegation preference if needed.