Code Dev
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Git development workflow skill, but it can delegate work to a subagent and use GitHub access to push branches and open PRs.
This skill appears safe for its stated purpose if you want an agent-managed Git workflow. Before using it, make sure you are in the correct repository, review local changes, confirm the target branch and PR content, and use GitHub credentials with only the permissions needed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may edit project files, create branches, push code, and create pull requests.
The skill is explicitly allowed to modify the working tree and run Git/GitHub CLI commands. This is expected for a Git workflow skill, but it can change local files and remote repository state.
Permissions: read/write current working directory, execute git and gh commands
Run it only in the intended repository and review changes before allowing remote pushes or PR creation.
If GitHub credentials are available, repository actions will happen under the user's GitHub identity or configured token.
GitHub authentication is expected for pushing branches and opening PRs, but it means the skill may act using the user's repository permissions.
Optional env: GITHUB_TOKEN (for GitHub authentication)
Use least-privileged GitHub credentials and confirm the target repository, branch, and PR contents.
A subagent may inspect or modify the repository as part of the development workflow.
The skill delegates development work to a subagent. This is disclosed and purpose-aligned, but users should understand that task and repository context may be passed to another agent session.
所有开发任务必须通过 Subagent 执行: sessions_spawn({ runtime: "subagent", mode: "run", task: "{任务描述}" });Use this only with trusted subagent configurations and avoid including secrets in task descriptions or repository files unless necessary.
Installation metadata may not fully prepare users for the tools or authentication needed at runtime.
The skill declares tool and optional authentication needs in SKILL.md, while the registry requirements list no required binaries or env vars. This is a metadata consistency issue, not evidence of hidden behavior.
Required tools: git, gh (GitHub CLI) Optional env: GITHUB_TOKEN
Verify that git and gh are installed, that GitHub authentication is intentional, and that the installed version matches the expected source.