Wjs Auditing Project
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may immediately inspect repository state, branches, PRs, CI runs, local app logs, and project files as part of the audit.
The skill deliberately initiates a broad set of shell-based project checks once invoked. This is aligned with the audit purpose, but users should know it will run multiple local/network commands without per-command approval.
Run all the read-only checks in one message with parallel Bash calls. Don't ask the user which to run; run them all.
Invoke it only from the intended project directory, and review the resulting checklist before approving any fix, merge, push, tag, or release action.
Repository metadata and CI failure logs from the GitHub account currently logged into `gh` may be shown to the agent.
The GitHub CLI normally uses the user's authenticated GitHub identity to read repository PR and Actions data. The access is purpose-aligned and read-only in the shown instructions.
`gh pr list --state open --json number,title,isDraft,mergeable,mergeStateStatus,updatedAt,author,headRefName` ... `gh run view <id> --log-failed | tail -100`
Before use, confirm `gh` is authenticated to the intended account and repository, especially if you have access to multiple organizations.
Private project plans, file paths, source TODOs, and recent app error details may appear in the audit output.
The skill pulls project planning files and recent app runtime log excerpts into the agent's working context. This is relevant to the audit, but those files/logs may contain private project or user details.
Read `TODOS.md`, `CHANGELOG.md`, `APP_STORE_SUBMISSION_GUIDE.md`, `ROADMAP.md`, `docs/plan*.md` ... `log show --predicate 'process == "Cathier"' --last 1d`
Use it only on projects and logs you are comfortable sharing with the agent, and redact sensitive log output before broader sharing.