Skill Lifecycle
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent developer automation skill, but it can install Python packages, run local test code, commit repository changes, and optionally publish to ClawHub using your existing account.
This skill appears safe for its stated purpose, but treat it like a developer release tool: run it only in the intended repository, review git status before commits, use dry-run/check modes before publishing, and avoid running tests from untrusted skills outside a sandbox.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A later dependency release could change behavior or introduce a vulnerability in the local tool environment.
The skill expects Python packages to be installed, and the requirements use lower-bound version ranges rather than exact pins. This is common for CLI tools but means future dependency versions may vary.
click>=8.0.0 ... semver>=3.0.0 ... rich>=13.0.0 ... pyyaml>=6.0.0
Install in a virtual environment and consider pinning or reviewing dependency versions before use in sensitive workflows.
Running the tool on an untrusted skill could execute that skill’s test code on your machine.
The test command runs discovered or specified test files as Python code. That is expected for a lifecycle testing tool, but test files from untrusted skills can execute arbitrary local code.
cmd = [str(venv_python), str(test_file)] ... subprocess.run(cmd, capture_output=True, text=True, timeout=300)
Use this only with trusted skill directories, or run it in a sandbox/virtual environment when testing third-party code.
Local secrets, drafts, or unrelated changes could be committed if they are present in the target repository.
The Git commit command can stage all changes in the selected repository. This is purpose-aligned for lifecycle automation, but it can include unintended untracked files if the repository is not clean or .gitignore is incomplete.
subprocess.run(['git', 'add', '-A'], cwd=skill_dir, check=True)
Review the displayed git status, use --dry-run first, and ensure .gitignore excludes private files before running automated commits.
If invoked, the skill can publish the selected skill under your configured ClawHub account.
The optional publish command delegates to the local ClawHub CLI, which will use whatever account/session is configured on the user’s machine. No token capture or credential storage is shown.
cmd = ['clawhub', 'publish', '.', '--version', version]
Confirm you are signed into the intended ClawHub account and use --check or --dry-run before publishing.
A mistaken batch command could version-bump and commit changes across multiple skills.
The batch command can run the development workflow across multiple user-supplied skill directories concurrently. This is consistent with automation, but a wrong bump or directory selection can affect many repositories at once.
with ThreadPoolExecutor(max_workers=jobs) as executor: ... executor.submit(process_skill, skill_dir, bump, skip_test, skip_scan)
Start with a small set of directories, use dry-run-style workflows where available, and verify the target list before batch processing.