ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Post-Development Verification

v1.0.1

Post-development full-stack verification skill. Automatically triggered after Agent completes a development task. Executes production-level validation (unit...

0· 40·0 current·0 all-time
by@leonardo-lb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (post-development full-stack verification) align with the SKILL.md which explains test design, environment checks, starting services, running tests and E2E validation. Declared capabilities (read_project_files, run_tests, start_stop_services, network_access) are expected for this purpose.
Instruction Scope
Instructions explicitly instruct the agent to start/stop services, run DB migrations, seed and delete test data, and make real network requests. That behavior matches the stated purpose (real-execution-first), but it grants the agent broad, potentially destructive discretion if Phase 0 review / user gating are skipped. The SKILL.md recommends Phase 0 and sandboxing, but does not enforce an explicit confirmation step before execution phases.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes filesystem/install risk (nothing is downloaded or executed by an installer).
Credentials
requires.env is empty in registry metadata, yet the instructions and metadata repeatedly reference using test accounts, test API keys, and environment-variable-sourced tokens. Not requiring any specific env vars is coherent (they are optional), but it means the agent may try to read whatever environment variables are present; callers should explicitly provide test-only credentials and remove production credentials from the agent environment.
Persistence & Privilege
always:false and default model invocation settings (agent can invoke autonomously) are appropriate. The skill does not ask to modify other skills or system-wide settings. Its actions are limited to the project/test environment described in SKILL.md.
Assessment
This skill is consistent with a test/verification tool, but it performs powerful, state-changing operations (start services, run DB migrations, seed/delete data, network calls). Before using it: (1) run Phase 0 and carefully review the Environment Report it produces; (2) ensure the agent runs in an isolated test/sandbox with no production credentials or access to production networks; (3) explicitly provide only test API keys/accounts and remove any production env vars from the runtime; (4) require an explicit human approval step before allowing Phase 2 (execution) to proceed; and (5) consider running the verification in a disposable CI environment or ephemeral container to limit blast radius. If you cannot guarantee sandboxing and credential separation, avoid running the execution phases.

Like a lobster shell, security has layers — review code before you run it.

anti-patternsvk972v85t492pkxqsb38dc6x8058450nmbusiness-flowvk972v85t492pkxqsb38dc6x8058450nmci-cdvk972v85t492pkxqsb38dc6x8058450nmdeliveryvk972v85t492pkxqsb38dc6x8058450nme2evk972v85t492pkxqsb38dc6x8058450nmfeedback-loopvk972v85t492pkxqsb38dc6x8058450nmlatestvk972qcpss4cmahd25180pwe79h844hc3metricsvk972v85t492pkxqsb38dc6x8058450nmquality-gatesvk972v85t492pkxqsb38dc6x8058450nmreal-executionvk972v85t492pkxqsb38dc6x8058450nmregressionvk972v85t492pkxqsb38dc6x8058450nmtest-designvk972v85t492pkxqsb38dc6x8058450nmtestingvk972v85t492pkxqsb38dc6x8058450nmverificationvk972v85t492pkxqsb38dc6x8058450nm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments