ClawHub

Software Engineer

Write production-ready code with clean architecture, proper error handling, and pragmatic trade-offs between shipping fast and building right.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
6 · 1.2k · 6 current installs · 6 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the content: it's an instruction-only 'software engineer' guideline set. It requires no binaries, env vars, installs, or access beyond the project context — nothing requested appears out of scope for a coding guidance skill.
!
Instruction Scope
The runtime instructions are focused on code style, architecture, testing, and error handling and do not ask to exfiltrate data or call external endpoints. However, the SKILL.md contains detected unicode control characters (prompt-injection pattern) which can be used to alter parsing or agent behavior. Also some statements (e.g., "This skill does NOT make network requests") are declarative guidance, not enforceable controls — if the host agent has network/file privileges the skill could be used in ways the prose does not prevent.
Install Mechanism
No install spec and no code files to execute; instruction-only skills are lowest-risk from installation perspective.
Credentials
No environment variables, credentials, or config paths are requested — this is proportionate for a documentation/instruction skill.
Persistence & Privilege
always:false (no forced global presence) and default autonomous invocation is allowed (platform default). That is normal; however, autonomous invocation combined with prompt-injection content increases potential impact, so be cautious.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden unicode control characters are not expected in a plain guidance document. They are commonly used in prompt-injection attacks to manipulate how content is parsed or to hide instructions. Recommend manual inspection and removal of any unexpected hidden chars before trusting the skill.
What to consider before installing
This skill's content matches its purpose and asks for nothing sensitive, but take the following precautions before installing or invoking it autonomously: - Inspect the SKILL.md and included files in a text editor that can show invisible/control characters; remove any unexpected unicode control characters. - If you plan to allow autonomous execution, run the skill first in a restricted/sandboxed agent with no network access and limited file permissions to verify behavior. - Because the files assert they won't make network requests or store data, don't treat that as enforcement—ensure the runtime environment enforces the same restrictions if you need them. - If you don't need autonomous invocation, disable it (or limit the skill's privileges) until you've validated the content. If you want, I can display the SKILL.md with non-printing characters highlighted or produce a cleaned version with control characters removed.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bst0xr9y5c8rwqgty90j6j981e4k0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👨‍💻 Clawdis
OSLinux · macOS · Windows

SKILL.md

When to Use

Agent needs to write, review, or refactor code. Handles implementation decisions, architecture trade-offs, and code quality across any language or framework.

Quick Reference

TopicFile
Code patternspatterns.md
Architecture decisionsarchitecture.md
Testing practicestesting.md

Core Rules

1. Read Before Write

  • Check existing code style, patterns, and conventions before writing new code
  • Respect the current stack — never swap libraries without explicit request
  • Match naming conventions, formatting, and project structure already in place

2. Code That Compiles

Every code block must:

  • Have correct imports for the actual library versions in use
  • Use APIs that exist in the project's dependency versions
  • Pass basic syntax checks — no placeholder // TODO: implement

3. Minimal First

  • Solve the specific problem, not hypothetical future problems
  • One abstraction when you have three concrete cases, not before
  • Features that might be needed → skip. Features that are needed → implement

4. Errors as First-Class Citizens

❌ catch (e) {}
❌ catch (e) { console.log(e) }
✅ catch (e) { logger.error('context', { error: e, input }); throw new DomainError(...) }
  • Typed errors over generic strings
  • Include context: what operation failed, with what input
  • Distinguish recoverable vs fatal errors

5. Boundaries and Separation

LayerContainsNever Contains
Handler/ControllerHTTP/CLI parsing, validationBusiness logic, SQL
Service/DomainBusiness rules, orchestrationInfrastructure details
Repository/AdapterData access, external APIsBusiness decisions

6. Explicit Trade-offs

When making architectural choices, state:

  • What you chose and why
  • What you traded away
  • When to revisit the decision

Example: "Using SQLite for simplicity. Trade-off: no concurrent writes. Revisit if >1 write/sec needed."

7. PR-Ready Code

Before delivering any code:

  • No dead code, commented blocks, or debug statements
  • Functions under 30 lines
  • No magic numbers — use named constants
  • Early returns over nested conditionals
  • Edge cases handled: null, empty, error states

Code Quality Signals

Senior code reads like prose:

  • Names explain "what" and "why", not "how"
  • A junior understands it in 30 seconds
  • No cleverness that requires comments to explain

The best code is boring:

  • Predictable patterns
  • Standard library over dependencies when reasonable
  • Explicit over implicit

Common Traps

TrapConsequencePrevention
Inventing APIsCode doesn't compileVerify method exists in docs first
Over-engineering3 hours instead of 30 minAsk: "Do I have 3 concrete cases?"
Ignoring contextSuggests wrong stackRead existing files before suggesting
Copy-paste without understandingHidden bugs surface laterExplain what the code does
Empty error handlingSilent failures in productionAlways log + type + rethrow
Premature abstractionComplexity without benefitYAGNI until proven otherwise

Pragmatic Shipping

Critical paths (do it right):

  • Authentication, authorization
  • Payment processing
  • Data integrity, migrations
  • Secrets management

Experimental paths (ship fast, iterate):

  • UI/UX features
  • Admin panels
  • Analytics
  • Anything unvalidated with users

Test for critical path: "Can this wake me at 3am or lose money?"

Security & Privacy

This skill does NOT:

  • Store any data externally
  • Make network requests
  • Access files outside the current project

All code suggestions are generated in context of the conversation.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…