Vibe Coding Best Practices v3.0
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: vibe-3k Version: 1.0.0 The skill bundle provides comprehensive best practices for AI-assisted development, including strong recommendations for human review in security-critical areas. However, several shell scripts, particularly the 'Leader Summarization Script' in `references/03-multi-agent.md` and the `post-commit` hook in `references/04-emergency.md`, process agent-generated status files or automate Git pushes. While intended for benign purposes like progress tracking and version control, these scripts demonstrate a lack of robust input sanitization when processing data from other agents and could facilitate the exfiltration of malicious code if an agent were compromised, indicating vulnerabilities and risky capabilities without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed, unreviewed AI-generated changes or accidentally included sensitive files could be committed and pushed to a remote repository, potentially visible to collaborators or triggering CI/deployment workflows.
The guide recommends a persistent Git post-commit hook that automatically pushes to the configured remote, and a timer workflow that automatically stages and commits worktree changes. These are user-directed examples, but they lack clear review, branch, path, or removal safeguards.
# post-commit hook 自动推送 ... git push origin HEAD 2>/dev/null || true ... $timer = New-Object System.Timers.Timer(600000) ... git add -A ... git commit -m "auto-snapshot ..."
Do not enable auto-commit or auto-push hooks by default. Prefer manual review before commits and pushes, or scope automation to a private backup branch with clear removal instructions and secret scanning.
Design documents, handoff notes, logs, and code details may be shared across agents or models during collaboration.
The skill intentionally uses handoff files and multiple agent sessions. This is aligned with its multi-agent workflow purpose, but it means project context moves between agents, sessions, and possibly model providers.
PM Agent 分析 → DESIGN.md + HANDOFF.md → Dev Agent 执行(新 session)→ 代码 + LOG.md → QA Agent 审查
Keep secrets and private production data out of handoff files, specify which files each agent may read or edit, and retain human review before merging changes.
Project history, mistakes, and results may remain in local memory/task records and could be reused later.
The skill describes persistent task records for completed projects. That is useful for recovery and learning, but it can retain sensitive project details and influence future agent context.
memory/tasks/ ... 每次完成 Vibe Coding 项目都会生成 task 记录,包含执行过程、踩坑和成果。
Store only non-sensitive summaries, review or delete old task records, and avoid saving credentials, private user data, or confidential business details.