Joycode
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: joycode Version: 1.0.0 The skill bundle provides instructions for an AI agent to interface with the 'joycode-cli' tool for code generation and AI-assisted programming. It includes standard commands for installation via npm, interactive TUI modes, and automated file editing (e.g., 'joycode-cli exec --full-auto'). While the tool requires shell access and file system permissions to function as a coding assistant, the instructions in SKILL.md are transparent, lack obfuscation, and do not exhibit signs of data exfiltration or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could ask another AI coding tool to change project files automatically, which may introduce unwanted edits or broad changes if the user expected a review-only workflow.
The skill documents a full-auto mode that can edit files and also documents an approval-policy command, but it does not require explicit user approval, restrict file scope, or require reviewing diffs before applying changes.
joycode-cli exec --full-auto "为 utils.ts 编写单元测试" ... 全自动模式(允许文件编辑) ... `/approvals` | 动态修改审批策略
Use full-auto mode only after explicit user approval, restrict it to the intended project/files, and review `git diff` before accepting changes.
Installing a global npm package can change the local development environment and runs code obtained outside this skill artifact.
The skill asks for a global npm installation of the JoyCode CLI without pinning a version. This is central to the skill, but it means the installed package source/version should be trusted separately.
npm install -g joycode-cli
Verify the npm package publisher and version before installing; prefer a pinned version or local/project-scoped install where possible.
Using the CLI may create or reuse JoyCode account credentials/session state on the machine.
The skill documents interactive login to a JoyCode account. This is expected for a provider CLI, and the artifacts do not show credential theft or unrelated credential use.
joycode-cli login
Log in only with the intended JoyCode account, understand what permissions the account grants, and use `/logout` when the session should not persist.
Prior prompts, code context, or generated summaries may influence later coding sessions if the CLI stores them.
The skill documents resuming and compacting prior JoyCode sessions, which implies persisted conversation/project context may be reused across tasks.
joycode-cli resume --last ... joycode-cli resume <SESSION_ID> ... `/compact` | 压缩对话历史
Start a new session for sensitive or unrelated projects, and review what session/history data JoyCode CLI stores or reuses.