Skillv1.0.0

ClawScan security

Testcase Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 9, 2026, 10:42 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill appears to be what it claims — an on‑host test case generator that reads local configs and Excel files and writes generated Excel outputs — but it reads/writes files under your home directory and can overwrite existing test case libraries, so review paths and back up data before using.
Guidance: This skill is internally consistent with its goal of generating and updating test-case Excel files and does not contact external endpoints or request secrets. Before using it: 1) Inspect and, if necessary, edit product config paths in ~/.openclaw/products/ (or the built-in DEFAULT_CONFIG) so the scripts target the correct files. 2) Back up any existing case library Excel files — update_library will overwrite target files. 3) Note that PRD parsing/OCR functionality mentioned in SKILL.md is not implemented in the included scripts; you'll need to provide parsed content or add parsing code/tools. 4) Run the scripts on sample/test directories first to validate behavior and outputs. 5) If you plan to integrate this into an automated agent workflow, ensure interactive confirmation steps are preserved (the CLI update operation is non-interactive) or wrap the calls to require explicit user approval.

Review Dimensions

Purpose & Capability: noteName/description (generate and update test cases, produce 2 Excel files) matches the included Python scripts (case_generator.py and version_manager.py). The code implements Excel generation and library version/update operations which are coherent with the stated purpose. Minor mismatch: SKILL.md promises PRD parsing (PDF/Word/Markdown) and OCR support, but there is no code in the repository that performs document parsing or OCR — those steps appear to be left to the agent/human or not implemented in these scripts.
Instruction Scope: noteRuntime instructions operate on local files and directories (e.g., ~/.openclaw/workspace/, ~/.openclaw/products/, product-specific Excel files). That is consistent with the purpose. The SKILL.md explicitly instructs reading user-provided update files and storing outputs in the user's home workspace. Nothing in the instructions directs data to external network endpoints. However the skill reads and writes arbitrary Excel files (including the configured 'case library' target paths) — the update path will overwrite target Excel files on disk, so the agent or user must ensure correct file paths and backups.
Install Mechanism: okNo install spec and no external downloads; this is an instruction+script-only skill. It relies on standard Python libraries (openpyxl) but does not declare an installer — minimal install risk. No network fetches or third‑party package installation are present in the manifest.
Credentials: okThe skill requests no environment variables, no credentials, and no special config paths beyond user-local paths under ~/.openclaw and configured Excel paths. The requested file access is proportional to the stated behavior (reading/writing local case libraries and workspace files).
Persistence & Privilege: concernThe skill is not always-on and does not request credentials, but it does modify files on the host: version_manager.update_library will write back to configured case library Excel files (overwriting them), and the scripts create metadata and output files under ~/.openclaw/workspace/. That file-write capability is consistent with the purpose but is potentially destructive if misconfigured — users should confirm target paths, back up libraries, and review the code before running automated updates.