contract-doc-sync
v1.0.1文档同步工具——检测代码-文档漂移并同步修复。仅读写本地 docs/ 下 Markdown 文件,仅运行本地脚本(git diff、md-sections)。 源码文件只读,无网络请求,无加密操作,无支付/购买功能,无远程下载。 需要: python3, git, bash。 写入范围白名单: docs/modu...
⭐ 0· 42·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (detect code-doc drift, read/write docs/ Markdown, run local scripts) aligns with included files and declared runtime dependencies. The shipped Python script only invokes git locally and classifies paths; the shell script parses Markdown locally. No required env vars, no remote downloads, and no unrelated binaries are requested.
Instruction Scope
Instructions stay within the declared purpose: they scan repo files (README, SUMMARY, docs/, pom/package.json, controllers/entities), run detect-changes.py and md-sections.sh, and edit only whitelisted docs paths. Two noteworthy caveats: (1) L3 (D10) explicitly uses an external/cloud LLM to perform semantic checks and therefore will send code/document snippets to the LLM provider (privacy/exfil risk acknowledged in SKILL.md). (2) The skill assumes platform-provided Read/Edit/Bash tools and relies on them to access repo files; verify those platform tools' permissions and scoping. Otherwise, no instructions ask for unrelated secrets or network endpoints.
Install Mechanism
Instruction-only skill with no install spec. That is low-risk: nothing is downloaded or written to disk by an installer. The only required host tools are python3, git and bash which are reasonable and declared.
Credentials
No environment variables or credentials are requested. The only platform-injected variables ($SKILL_DIR, $MD_SECTIONS) are reasonable and documented. The skill does read repository files (including build files and AGENTS.md/CLAUDE.md) which is coherent with its purpose.
Persistence & Privilege
Skill is not always:true and is user-invocable. It is allowed to invoke autonomously (platform default). It can perform automated, in-place edits to docs/ for deterministic cases (L1/L2 auto-fixes are allowed per SKILL.md). Users should verify whether the platform will commit/push changes or open PRs after edits — the SKILL.md does not clearly state commit/PR behavior. Recommend restricting autonomous runs or requiring human confirmation for auto-edits if undesired.
Assessment
This skill appears coherent and does what it says: it analyzes local git diffs and updates files under docs/* using the included scripts. Before installing: 1) Confirm your agent platform's Read/Edit/Bash tools are properly scoped (that they can only write to the intended docs/ whitelist and cannot push commits/publish changes without your consent). 2) Start with L0/L1 (non‑or minimal‑fix levels) on a safe branch to review the generated report and any automatic edits. 3) Be aware that L3 semantic checks send code/doc snippets to a cloud LLM provider (privacy/exfil risk); avoid L3 on sensitive codebases or ensure acceptable data handling by the LLM provider. 4) Verify whether the skill will automatically commit or open PRs — if you want manual review, require it in the agent/platform settings or run the skill in read-only/reporting mode first.Like a lobster shell, security has layers — review code before you run it.
latestvk97e3egyrdamx24cz4nvg7h8d584wh5s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.