Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Programmer Cognition
v1.0.0程序员认知 Skill —— SOUL 五律适配软件开发,代码审查四向碰撞+部署红线+CI自进化
⭐ 0· 102·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (programmer cognition, code review, CI checks) match the SKILL.md content. However, the SKILL.md includes Python usage examples (import skills.programmer_cognition, ProgrammerCognition class) and an install command (clawhub install / cp -r) even though the skill bundle contains no code files or install spec. That inconsistency means the skill as published does not include the executable implementation it documents.
Instruction Scope
The instructions and checklists themselves are scoped to developer tasks (code review, debug templates, pre-deploy checklist). They don't explicitly instruct the agent to read arbitrary system files or exfiltrate secrets. However, the text assumes the skill will interact with CI/CD, logs, and a workspace; the SKILL.md does not define how those integrations happen or what paths/endpoints are used, leaving room for ambiguity at runtime.
Install Mechanism
No install spec or packaged code is present (instruction-only). That is low-risk from an installation-execution perspective, but it reinforces the coherence problem: the README and SKILL.md show install/use commands while nothing to install is included.
Credentials
The skill does not request environment variables, binaries, or credentials in metadata. The documented redlines explicitly forbid hardcoding keys and direct production DB ops. Still, the runtime examples imply access to workspace, CI, and logs — you should not grant credentials or access until you confirm what integration points the implementation actually requires.
Persistence & Privilege
Flags: always:false and no special OS restrictions. There is no evidence the skill requests persistent/privileged presence. HEARTBEAT.md describes periodic checks conceptually, but without code there is no autonomously executing component installed by this package.
What to consider before installing
This skill's docs describe a useful code-review/CI assistant, but the package contains only documentation files — no implementation. Before installing or using it: 1) ask the publisher for the actual code/package referenced by the examples (the Python module and clawhub package), 2) verify any install artifact comes from a trusted source (GitHub repo releases or your internal registry) and inspect the code for what files/paths it reads or what endpoints it calls, 3) do not provide CI/production credentials or grant workspace access until you confirm exactly what integrations are required, and 4) prefer installing in a sandbox/test environment first to observe behavior. If the publisher cannot provide the implementation or if an install artifact differs from these docs, treat it as potentially untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk975y2hbx09dx9zg61m0vj3hj583ztf6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.