ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vibe Coding Best Practices v3.0

v1.0.0

Provides a comprehensive AI-assisted development workflow with PLAN/ACT separation, multi-agent collaboration, fault recovery, and security code review best...

2· 417·0 current·1 all-time
by@russellfei
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Vibe Coding Best Practices) match the content: workflow guidance, multi-agent orchestration, recovery SOPs, and security checklists. The skill declares no binaries, env vars, or installs—consistent with an instruction-only guideline.
Instruction Scope
SKILL.md explicitly instructs agents (in PLAN prompts) to read repository context (read_file/search_files), consult LOG.md, status/*.status, worktree dirs, and use git commands and example scripts. Those file and command targets are appropriate for a developer workflow, but they do grant the agent broad access to repository contents (including any secrets accidentally committed).
Install Mechanism
No install spec or external downloads; instruction-only skill — lowest install risk.
Credentials
The skill requests no environment variables or credentials. It references services/tools (Claude, Kimi, OpenClaw, Sentry) only as recommendations; no unrelated secrets are demanded.
Persistence & Privilege
Skill flags: always:false and agent invocation allowed (normal). The guide suggests creating repo hooks (post-commit auto-push) and example persistent PowerShell timers — these are user-side setup suggestions and could create persistent behavior or automatic network pushes if implemented, so users should review before applying.
Assessment
This skill is a coherent, instruction-only best-practices guide for AI-assisted development and appears to be what it claims. Before using its example scripts or following its automation recipes: 1) review any proposed git commands (git reset --hard, auto-push hooks) on a backup or test repo to avoid accidental data loss or unintended pushes; 2) do not enable auto-push/post-commit hooks unless the remote is trusted; 3) audit any files the agent will be instructed to read (LOG.md, memory/tasks/, status/) to ensure they contain no secrets or sensitive data; 4) follow the guide's own security red lines (manual review for auth/payment/DB schema/migrations); and 5) if you let an agent run these commands autonomously, restrict its permissions and monitor operations. These precautions will keep the guidance useful without exposing your code or secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezax967fbsgqt83c2krrqjd821w5e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments