ai-coding-standards
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-coding-standards Version: 1.0.0 The skill bundle provides legitimate tools for enforcing AI coding standards and tracking project plans. It includes a static code analyzer (quality_checker.py) and a local task management system (plan_tracker.py) that stores data in a dedicated directory (~/.ai_plans). While SKILL.md suggests the creation of git hooks, this is a standard development practice for quality enforcement and lacks any indicators of malicious intent, data exfiltration, or unauthorized remote execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on a broad directory, the agent may inspect many local code files and expose file names or quality results in the conversation.
The checker can recursively walk a user-provided directory and read matching source files. This is expected for a code-quality tool, but the scope depends on the path the user or agent supplies.
for root, _, files in os.walk(dir_path):
for file in files:
if any(file.endswith(ext) for ext in extensions):
file_path = os.path.join(root, file)
results.append(self.check_file(file_path))Run checks only on the intended project or subdirectory, and avoid scanning broad private folders unless that is deliberate.
A Git hook can block commits or run local checks automatically during future Git operations.
The skill suggests installing a Git pre-commit hook, which would execute during future Git commit operations. This is aligned with the stated hook-enforcement purpose, but users should review hook contents before enabling it.
mkdir -p .git/hooks cp pre-commit.sample .git/hooks/pre-commit
Only install a pre-commit hook after reviewing the exact hook script, and keep it scoped to the project repository.
Setup instructions may be incomplete, and users might look for or create missing hook/helper code outside the reviewed artifact set.
The documentation lists tools and a hook sample that are not present in the provided manifest/source. This does not show malicious behavior, but it means some documented functionality cannot be reviewed from the supplied artifacts.
- `ContextManager` - 上下文管理 - `PlanTracker` - Plan 持久化跟踪 - `HookRunner` - Hook 拦截执行
Verify any missing helper scripts or modules from a trusted source before copying them into Git hooks or using them in projects.
Old or manually modified plan files could influence future work, and task descriptions may remain on disk after the session ends.
The PlanTracker creates persistent local plan storage under the user's home directory. Persistent plans are part of the stated purpose, but they may be reused across sessions and could contain sensitive task context.
if storage_dir is None:
storage_dir = os.path.expanduser("~/.ai_plans")
self.storage_dir = storage_dir
os.makedirs(storage_dir, exist_ok=True)Avoid storing secrets in plans, periodically review ~/.ai_plans, and clear stale or untrusted plan files when they should no longer guide the agent.