Ai Company Cqo 2.0.0
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned AI quality-governance skill, but users should notice its cross-agent features, bundled memory, and local checker that reads selected files and may print secret-like snippets.
This skill is reasonable to install for AI quality governance, but review the version mismatch, run the Python checker only on intended skill folders, and be cautious about sending sensitive project data through subagent/session workflows.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may have difficulty confirming exactly which version they are installing or comparing it with prior reviews.
The SKILL.md has an internal version mismatch, and the registry/meta files list other versions. This is a provenance/packaging quality issue, not evidence of malicious behavior.
version: "2.3.0" ... # AI Company CQO Skill v2.0
Ask the maintainer to align the registry, SKILL.md, meta.json, and _meta.json versions before relying on version-specific guarantees.
Running the helper script will execute local Python code and inspect files under the path you provide.
The tool is executed as a local Python script. This is user-directed and directly related to the quality-checking purpose, but it is still local code execution.
python quality_gate_checker.py <skill_path>
Run it only from a trusted copy of the skill and only against intended skill directories.
Prior notes or assumptions bundled with the skill may shape responses beyond the immediate user request.
The package includes a persistent memory-style work log. Such memory can influence future agent behavior if loaded as context.
# CQO-001 每日工作日志 - 2026-04-12
Review bundled memory files and require user approval before saving or reusing new long-term memory.
If scanned files contain real credentials, partial credential values could appear in command output.
When the checker detects secret-like text, it stores and prints the first part of the match. That is useful for locating findings but can expose part of a real secret in logs or agent context.
sensitive_found.append(f"{rel_path}: {match.group()[:30]}...")Mask secret matches more aggressively before displaying or saving reports, and avoid scanning directories that may contain real secrets unless outputs are protected.
Quality context, defect details, or project information may be shared with other agents or sessions during review workflows.
The skill declares MCP session messaging and subagent use, consistent with its cross-agent quality-review design.
mcp: [sessions_send, subagents]
Confirm which agents receive data and avoid including sensitive business or customer information unless the sharing boundary is acceptable.