update-project-docs
v1.0.1This skill should be used when the user asks to "update documentation for my changes", "check docs for this PR", "what docs need updating", "sync docs with c...
⭐ 0· 74·0 current·0 all-time
byGe Haizhou@openghz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the runtime instructions. The SKILL.md describes discovering docs, mapping code-to-docs, auditing the repo, scaffolding doc infrastructure, updating files, validating builds/lints, and recording a .docs-sync marker — all appropriate for an 'update-project-docs' skill. No unrelated environment variables, binaries, or installs are requested.
Instruction Scope
The instructions explicitly require reading the entire codebase (first-run full audit), searching docs/config files, running git commands, and optionally running the project's lint/build checks or doc preview commands (e.g., npm run docs:dev, mkdocs serve, sphinx-build). This is coherent for the purpose, but running project build/lint/preview scripts executes repository code and arbitrary scripts defined in the repo — a security and supply-chain risk that the user should be aware of. The skill does require creating/recording a `.docs-sync` file and staging/committing documentation changes; the workflow generally prompts for user confirmation on uncommitted changes and review steps, but ensure the agent will ask before committing changes.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is downloaded or written by an installer. This is the lowest-risk install profile.
Credentials
The skill requests no environment variables, credentials, or config paths beyond reading repository files. There are no disproportionate secret requests.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence. It writes/updates repository-local artifacts (e.g., `.docs-sync`, documentation files, commits) which is appropriate for its purpose. Note: the skill is allowed to be invoked autonomously by default (platform normal), so consider restricting autonomous runs if you want to limit unintended commits or builds.
Assessment
This skill appears to do what it claims, but review these precautions before use:
- Be aware the first-run full audit reads the entire repository and may run project build/lint/docs commands which execute code from the repo. Run it in a safe environment (local dev machine you control, a disposable container, or CI sandbox) rather than an environment with sensitive credentials.
- Require explicit confirmation before the skill stages or commits changes. Prefer that the skill prepares a diff or branch and asks you to inspect/approve before committing.
- Back up important or sensitive files and ensure no secrets are stored in docs that could be accidentally committed. Inspect the `.docs-sync` location and contents after the run.
- If you want to be conservative, run a dry-run/read-only audit first (no commits, no script execution) to get a list of proposed changes, then run an update pass in a branch you control.
- If you are using autonomous agents, restrict this skill's ability to run without user approval — automated commits or builds increase blast radius.
If you want me to check the SKILL.md for specific commands the agent would run in your environment (or to produce a safe dry-run plan), I can do that.Like a lobster shell, security has layers — review code before you run it.
latestvk977135e1tnbjn9h4fyk5924v584mdje
License
MIT-0
Free to use, modify, and redistribute. No attribution required.