ai-coding-standards
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a local coding-standards helper, but users should notice that it can persist task plans, recursively inspect project files, and suggests installing Git hooks.
This skill is reasonable for local coding-standard enforcement. Before installing, review any hook script you plan to use, run directory checks only on intended project paths, and be aware that plan files stored under ~/.ai_plans may persist across sessions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on a broad directory, the agent may inspect many local code files and expose file names or quality results in the conversation.
The checker can recursively walk a user-provided directory and read matching source files. This is expected for a code-quality tool, but the scope depends on the path the user or agent supplies.
for root, _, files in os.walk(dir_path):
for file in files:
if any(file.endswith(ext) for ext in extensions):
file_path = os.path.join(root, file)
results.append(self.check_file(file_path))Run checks only on the intended project or subdirectory, and avoid scanning broad private folders unless that is deliberate.
A Git hook can block commits or run local checks automatically during future Git operations.
The skill suggests installing a Git pre-commit hook, which would execute during future Git commit operations. This is aligned with the stated hook-enforcement purpose, but users should review hook contents before enabling it.
mkdir -p .git/hooks cp pre-commit.sample .git/hooks/pre-commit
Only install a pre-commit hook after reviewing the exact hook script, and keep it scoped to the project repository.
Setup instructions may be incomplete, and users might look for or create missing hook/helper code outside the reviewed artifact set.
The documentation lists tools and a hook sample that are not present in the provided manifest/source. This does not show malicious behavior, but it means some documented functionality cannot be reviewed from the supplied artifacts.
- `ContextManager` - 上下文管理 - `PlanTracker` - Plan 持久化跟踪 - `HookRunner` - Hook 拦截执行
Verify any missing helper scripts or modules from a trusted source before copying them into Git hooks or using them in projects.
Old or manually modified plan files could influence future work, and task descriptions may remain on disk after the session ends.
The PlanTracker creates persistent local plan storage under the user's home directory. Persistent plans are part of the stated purpose, but they may be reused across sessions and could contain sensitive task context.
if storage_dir is None:
storage_dir = os.path.expanduser("~/.ai_plans")
self.storage_dir = storage_dir
os.makedirs(storage_dir, exist_ok=True)Avoid storing secrets in plans, periodically review ~/.ai_plans, and clear stale or untrusted plan files when they should no longer guide the agent.