project-docs-generator
v1.0.0智能分析代码库并生成定制化文档系统。当用户需要:(1) 为新项目创建文档 (2) 补全现有项目文档 (3) 生成技术文档目录结构 (4) 创建架构设计文档 (5) 编写API文档或开发指南时触发此技能。支持任意技术栈和项目结构(纯前端、纯后端、全栈、微服务、monorepo、库/SDK等),自动识别项目特点并生成...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (project documentation generation) aligns with included assets: analyze_codebase.py (scans repo and detects tech stack), init_docs.py (creates docs directory and templates), and validate_plantuml.py (validates PlantUML blocks). There are supporting reference docs describing structure and detection rules, so required capabilities are proportionate to the stated purpose.
Instruction Scope
SKILL.md explicitly instructs scanning the project root, parsing dependency/config files, extracting entry points, and performing '按需网络检索' (on-demand web searches when unfamiliar frameworks appear). Scanning project files (including config files) is appropriate for the stated goal, but the web-retrieval guidance means the agent may contact external sites and could (depending on agent behavior) expose code snippets or config data during searches. The instructions do not direct exfiltration to unexpected endpoints, but they do give broad discretion to perform internet lookups.
Install Mechanism
There is no install spec (instruction-only behavior) and all code is delivered as plain Python scripts in the skill bundle; nothing is downloaded from arbitrary URLs and no archives are extracted. This is low install risk.
Credentials
The skill requests no environment variables or external credentials. However, the analyzer intentionally reads project files and common config files (package.json, pom.xml, requirements.txt, YAML/JSON/TOML/etc.), which can contain secrets or credentials in practice. While that access is coherent with analyzing a codebase, it is a privacy/secret-exposure risk when run against repositories containing sensitive data.
Persistence & Privilege
The skill does not request elevated platform privileges and 'always' is false. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags.
Assessment
This skill appears internally consistent and implements the described functionality. Before installing or running it, consider: 1) Review the three Python scripts (analyze_codebase.py, init_docs.py, validate_plantuml.py) yourself — they are plain readable code and perform filesystem operations under the provided project path. 2) Run the tool in an isolated environment (container or VM) if you will analyze repositories that may contain secrets or proprietary code. The analyzer will parse config and dependency files (which sometimes contain credentials); the SKILL.md also recommends 'on-demand network searches' — decide whether the agent should be allowed to make external requests (this can leak snippets or metadata). 3) validate_plantuml.py warns about external !include directives in PlantUML; if your docs reference external includes, inspect those references. 4) If you need stricter privacy, disable web access for the agent or restrict the skill to local-only analysis. Overall: coherent and purposeful, but exercise standard caution around running code that scans repositories and can reach the network.Like a lobster shell, security has layers — review code before you run it.
latestvk974ven2a6x00n7xny18qzh2ax83sb1x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.