Joycode
ReviewAudited by ClawScan on May 10, 2026.
Overview
Joycode is a coherent coding-assistant skill, but it documents a full-auto mode that can edit files and adjust approvals without clear scope or confirmation rules.
Install only if you trust the JoyCode CLI package and are comfortable with an AI coding tool that can edit project files. Avoid `--full-auto` unless you explicitly want automatic file changes, keep work under version control, and review diffs before accepting results.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could ask another AI coding tool to change project files automatically, which may introduce unwanted edits or broad changes if the user expected a review-only workflow.
The skill documents a full-auto mode that can edit files and also documents an approval-policy command, but it does not require explicit user approval, restrict file scope, or require reviewing diffs before applying changes.
joycode-cli exec --full-auto "为 utils.ts 编写单元测试" ... 全自动模式(允许文件编辑) ... `/approvals` | 动态修改审批策略
Use full-auto mode only after explicit user approval, restrict it to the intended project/files, and review `git diff` before accepting changes.
Installing a global npm package can change the local development environment and runs code obtained outside this skill artifact.
The skill asks for a global npm installation of the JoyCode CLI without pinning a version. This is central to the skill, but it means the installed package source/version should be trusted separately.
npm install -g joycode-cli
Verify the npm package publisher and version before installing; prefer a pinned version or local/project-scoped install where possible.
Using the CLI may create or reuse JoyCode account credentials/session state on the machine.
The skill documents interactive login to a JoyCode account. This is expected for a provider CLI, and the artifacts do not show credential theft or unrelated credential use.
joycode-cli login
Log in only with the intended JoyCode account, understand what permissions the account grants, and use `/logout` when the session should not persist.
Prior prompts, code context, or generated summaries may influence later coding sessions if the CLI stores them.
The skill documents resuming and compacting prior JoyCode sessions, which implies persisted conversation/project context may be reused across tasks.
joycode-cli resume --last ... joycode-cli resume <SESSION_ID> ... `/compact` | 压缩对话历史
Start a new session for sensitive or unrelated projects, and review what session/history data JoyCode CLI stores or reuses.