validation-agent
PassAudited by ClawScan on May 7, 2026.
Overview
This instruction-only validation skill is coherent and purpose-aligned, but it may read project files and run local test, audit, build, and benchmark commands.
This skill appears safe for its intended purpose as a code validation checklist. Before installing, be aware that it may read project files and run local project commands such as tests, audits, builds, and benchmarks. Use a sandbox for untrusted repositories and review reports before sharing them because they may include file paths, test output, or discovered secrets.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on an untrusted project, local tests or scripts could run code from that project on the user's machine.
The skill explicitly asks the agent to run project test commands. This is central to validation, but test commands can execute repository-controlled code.
Run Test Suite (using Bash): npm test; pytest; go test ./...; cargo test
Use this skill on trusted repositories or in a sandboxed environment when validating unfamiliar code.
The agent may read and summarize sensitive project content, including accidentally committed secrets, while performing validation.
The skill uses broad read and search tools across the project workspace. This is expected for code validation, but it means the agent may inspect many project files.
Use Glob to find all modified files ... Review Modified Files (using Read) ... Search for Anti-Patterns (using Grep)
Review the generated validation report before sharing it externally, especially if the repository may contain secrets or private code.