cg-test-skill
v1.0.0cg write Node.js package manager with strict dependency resolution. Use when running pnpm specific commands, configuring workspaces, or managing dependencies...
⭐ 0· 148·0 current·0 all-time
byGang Chen@moonball
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description clearly target pnpm usage, workspaces, and dependency management and the SKILL.md content stays on that topic. Minor inconsistency: the skill expects the agent to run pnpm commands (advice about --frozen-lockfile, workspace files, CLI commands), yet the registry metadata lists no required binary. A declared requirement for the pnpm binary would be expected.
Instruction Scope
Runtime instructions are scoped to pnpm usage: checking pnpm-workspace.yaml, .npmrc, using CLI flags, and best practices. This is appropriate for the skill. However, the guidance explicitly tells agents to check .npmrc files — those files can contain registry auth tokens or credentials. While checking them is relevant to pnpm behavior, it carries a privacy risk if an agent transmits their contents externally; the skill does not instruct any external transmission, but the instruction to read .npmrc is notable.
Install Mechanism
No install spec (instruction-only). This is low-risk: nothing is downloaded or written to disk by the skill package itself.
Credentials
The skill declares no required environment variables or credentials, which is proportionate to an instruction-only pnpm helper. There are no unrelated secrets requested.
Persistence & Privilege
The skill is not forced always-on and has no install-time persistence. Autonomous invocation is allowed by platform default (not a concern by itself).
Assessment
This skill is an instruction-only pnpm reference and appears to do what it says. Before installing/using it: ensure the agent environment actually has the pnpm binary available (the skill assumes you can run pnpm but doesn't declare that requirement); be aware the skill advises agents to read pnpm-workspace.yaml and .npmrc — .npmrc files can contain registry authentication tokens or other secrets, so avoid exposing projects with sensitive .npmrc contents to an agent unless you trust it and/or have scrubbed credentials. Because the skill is instruction-only, it will not install pnpm for you; if you need automated installation, prefer a skill that explicitly documents an install step and the sources it will download from.Like a lobster shell, security has layers — review code before you run it.
latestvk97fy8w7dasv3azptthd8y6ycd82z17m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.