Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw TDD Assistant
v1.1.0Test-Driven Development assistant. Generates test cases from code or specifications, runs tests, tracks coverage, and guides the red-green-refactor cycle. Su...
⭐ 0· 27·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Overall the name/description (TDD assistant: generate tests, run tests, track coverage) matches the included scripts which implement generation, running, and coverage for Python and optional C support. However the SKILL.md repeatedly claims support for Jest and go test (JavaScript/Go) while the included code implements Python first-class and only conditional C/Unity support; JavaScript and Go frameworks are not implemented in these scripts. This is a capability mismatch (misleading documentation) but not evidence of malicious behavior.
Instruction Scope
Instructions tell the agent to run the included Python scripts to generate/run tests and produce coverage. That's expected for a TDD tool. Important behavioral notes: running tests will import and execute the project's code (normal for test runners) so arbitrary project code will run; the generator creates tests that import modules using 'from <module> import *' which can trigger module-level side effects. The scripts also read/write standard project files and write reports to /tmp (e.g., /tmp/coverage.json, /tmp/pytest_report.json) — this uses shared temporary locations and could cause race/contamination in multi-tenant environments.
Install Mechanism
There is no remote install or download step; the skill is instruction-only with included scripts. No external URLs, package installs, or archive extraction occur as part of the skill. This is low install risk. The scripts do rely on pytest (and optional C support libraries) being available on the system.
Credentials
The skill declares no required environment variables, credentials, or config paths and the code does not request secrets. It operates on workspace files and uses standard temp paths. This is proportionate to a TDD utility. Note: it writes to /tmp and will read project files — expected behavior but worth noting.
Persistence & Privilege
always is false and the skill doesn't request persistent system-wide privileges, nor does it modify other skills or system config. It only reads/writes files within the project and temp directories.
Assessment
This skill is largely coherent with a local TDD assistant, but take these precautions before installing or running it: 1) Run the scripts in an isolated environment (temporary VM, container, or a sandboxed workspace) because executing tests will import and run your project code and could execute arbitrary code. 2) Be aware the tool writes coverage and pytest JSON to /tmp — in multi-user or CI runners this can cause conflicts or expose data; consider editing the scripts to use per-run temp files or a local directory. 3) The documentation claims JavaScript/Go support but the provided code implements Python (and only conditional C support) — don't expect Jest/go test functionality from this package as-is. 4) The generated tests import modules with 'from <module> import *' which can trigger module-level side effects; review generated tests before running. 5) Ensure required tools (pytest, coverage, optional C support libraries) are installed in your environment. If you need higher assurance, review the scripts locally or run them on a disposable container/CI runner first.Like a lobster shell, security has layers — review code before you run it.
latestvk9756qnyr6dksja8ecg76vc64d843bec
License
MIT-0
Free to use, modify, and redistribute. No attribution required.