ClawHub

Software Engineer

v1.0.0

Write production-ready code with clean architecture, proper error handling, and pragmatic trade-offs between shipping fast and building right.

7· 2k·12 current·12 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the content: it's an instruction-only 'software engineer' guideline set. It requires no binaries, env vars, installs, or access beyond the project context — nothing requested appears out of scope for a coding guidance skill.
!
Instruction Scope
The runtime instructions are focused on code style, architecture, testing, and error handling and do not ask to exfiltrate data or call external endpoints. However, the SKILL.md contains detected unicode control characters (prompt-injection pattern) which can be used to alter parsing or agent behavior. Also some statements (e.g., "This skill does NOT make network requests") are declarative guidance, not enforceable controls — if the host agent has network/file privileges the skill could be used in ways the prose does not prevent.
Install Mechanism
No install spec and no code files to execute; instruction-only skills are lowest-risk from installation perspective.
Credentials
No environment variables, credentials, or config paths are requested — this is proportionate for a documentation/instruction skill.
Persistence & Privilege
always:false (no forced global presence) and default autonomous invocation is allowed (platform default). That is normal; however, autonomous invocation combined with prompt-injection content increases potential impact, so be cautious.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden unicode control characters are not expected in a plain guidance document. They are commonly used in prompt-injection attacks to manipulate how content is parsed or to hide instructions. Recommend manual inspection and removal of any unexpected hidden chars before trusting the skill.
What to consider before installing
This skill's content matches its purpose and asks for nothing sensitive, but take the following precautions before installing or invoking it autonomously: - Inspect the SKILL.md and included files in a text editor that can show invisible/control characters; remove any unexpected unicode control characters. - If you plan to allow autonomous execution, run the skill first in a restricted/sandboxed agent with no network access and limited file permissions to verify behavior. - Because the files assert they won't make network requests or store data, don't treat that as enforcement—ensure the runtime environment enforces the same restrictions if you need them. - If you don't need autonomous invocation, disable it (or limit the skill's privileges) until you've validated the content. If you want, I can display the SKILL.md with non-printing characters highlighted or produce a cleaned version with control characters removed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bst0xr9y5c8rwqgty90j6j981e4k0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👨‍💻 Clawdis
OSLinux · macOS · Windows

Comments