ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

doc-sync

v1.0.0

Context-Aware Doc Generator: Automatically syncs Python docstrings (Google style), Go comments, and README.md based on code changes. Also logs change summari...

0· 100·0 current·0 all-time
by@shangter666
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description promise automatic synchronization of Python docstrings, Go comments, and README.md, but the bundled files contain only a KB sync script (scripts/kb_sync.py) and reference materials. There is no provided implementation for parsing or modifying source files or README sections. That is a meaningful mismatch between claimed capability and included artifacts.
!
Instruction Scope
SKILL.md instructs the agent to update docstrings and README.md and to log change summaries using scripts/kb_sync.py. The KB logging script exists and writes locally, which matches that part of the instructions, but the instructions otherwise assume the agent can modify code/comments/README — there is no code or explicit safe workflow for performing those edits or for seeking user approval before applying changes.
Install Mechanism
No install specification is provided (instruction-only with one helper script). No external downloads or installers are indicated, so nothing new would be written to disk by an installer step beyond the script already bundled.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The included script optionally imports chromadb if installed but does not require secrets or network endpoints. The only filesystem impact is writing to a local .gemini directory.
Persistence & Privilege
always is false and model invocation is allowed (default). The skill will persist local artifacts (.gemini/kb or .gemini/changelog.jsonl) if used, but it does not request elevated or cross-skill privileges.
What to consider before installing
This package overclaims functionality: it promises automatic docstring and README updates but only includes a script to log change summaries to a local KB and a doc-style reference. Before installing or invoking: (1) treat the skill as incomplete — verify where and how doc/README edits would be produced (ask the author for the editing implementation or additional scripts). (2) Because the skill can write to .gemini/, run it first in a disposable or version-controlled repo and ensure you have backups/commits you can revert. (3) If you want automatic file edits, require explicit human review/approval steps (or CI-based changes) rather than blind writes. (4) If you need vector-based KB storage, be aware it will look for a local ChromaDB and persist under ./ .gemini/kb; installing chromadb is optional. Additional information that would change this assessment: included code that actually performs docstring/README edits (showing what files are modified and how), any install scripts, or any network endpoints/credentials — those would need re-review.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b4m0m7730d8w4mbe9a3fs21833n0k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments