Generated source template injection
Critical
- Finding
- User-controlled placeholder is embedded directly into generated source code.
spec驱动开发vibe coding skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Git development workflow, but it needs Review because it asks for a Git token, stores credentials locally, can automatically commit/tag/reset repository state, and can load repo-provided skill instructions.
Only use this skill in a trusted repository and preferably in a disposable environment. Provide a short-lived, repository-scoped Git token, inspect any auxiliary/skills files before allowing them to load, require review before git add -A, commits, pushes, tags, or resets, and clean up ~/.git-credentials and checkpoint files after use.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A Git token with write access could remain available to later Git operations on the machine and could be used to clone, push, or otherwise mutate repositories within that token's scope.
Why it was flagged
The skill requires a provider Git token and says it will write credentials into the local Git credential helper, giving the agent account-backed repository access that can persist beyond a single command.
Skill content
`SPEC_DEV_GIT_TOKEN` ... 用于构造带认证的克隆 URL 并写入本地凭据助手 ... `~/.git-credentials`
Recommendation
Use a short-lived, least-privilege token limited to the intended repository; prefer non-persistent per-command authentication or explicitly remove the ~/.git-credentials entry after use.
What this means
Users may grant a powerful Git token while underestimating how long the credential may remain on disk.
Why it was flagged
The wording presents ~/.git-credentials storage as limited to the current agent session, but ~/.git-credentials is normally a persistent user-level credential file.
Skill content
凭据助手使用局限于当前 Agent 会话的本地 `~/.git-credentials` 存储。
Recommendation
The skill should accurately disclose credential persistence and provide a cleanup command or use a session-scoped credential helper.
What this means
Unreviewed local files, build artifacts, or secrets inside the repository could be captured in Git history or tags, and repository state can be changed automatically during failures.
Why it was flagged
The checkpoint workflow can be triggered automatically, stages all changes including untracked files, creates commits/tags, and documents an optional remote tag push without clear file exclusions or per-action confirmation.
Skill content
自动触发 ... `git add -A` ... `git commit -m "checkpoint... WIP auto-save"` ... `git tag "checkpoint/${CKPT_ID}"` ... `git push origin "checkpoint/${CKPT_ID}"`Recommendation
Require explicit confirmation before git add -A, commit, tag push, release push, or reset; add default exclusions for secrets and generated artifacts; show the exact files to be committed before acting.
What this means
A malicious or compromised repository could place instructions in auxiliary skill files that redirect the agent's goals or cause unsafe tool use.
Why it was flagged
The cloned repository can supply skill-discovery files and SKILL.md instructions that the agent is told to load, with no artifact-backed allowlist, signature check, or trust boundary.
Skill content
完整读取 `auxiliary/skills/available_skills.xml` ... 完整加载 `auxiliary/skills/<n>/SKILL.md` 后再继续执行。
Recommendation
Disable repo-local skill loading by default, or only load allowlisted and reviewed skills after showing the user the selected file and asking for approval.
What this means
Sensitive project details or poisoned instructions stored in checkpoint files could be reused later and steer future agent behavior.
Why it was flagged
Checkpoint documents persist a resume prompt and instruct users or agents to inject it as the first message of a new session, making stored context and generated summaries influential across sessions.
Skill content
将此块完整粘贴/注入到新 Session 的第一条消息 ... RESUME_CONTEXT — spec-driven-dev 会话恢复包
Recommendation
Separate factual state from executable instructions, mark restored content as untrusted, redact sensitive data, and require user review before injecting checkpoint context into a new session.
What this means
Users have less provenance information for deciding whether to trust a workflow with repository write access.
Why it was flagged
The registry metadata does not provide a verified source and the homepage appears to be a placeholder, which matters because the skill asks for a Git token and can mutate repositories.
Skill content
Source: unknown; Homepage: https://github.com/your-org/spec-driven-dev
Recommendation
Verify the publisher and source repository before installation, and avoid granting broad credentials to an unverified skill.