Ai Company Cqo
v2.0.0AI公司首席质量官(CQO)技能包。端到端AI质检流程、PDCA-BROKE双循环、质量门禁G0-G4、三级校验架构、元提示自主优化。
⭐ 0· 112·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is a CQO/quality-management package and includes a quality gate checker tool (tools/quality_gate_checker.py) which matches the stated purpose. Declared dependencies (other ai-company roles) and lack of required env vars or external binaries are proportionate. Minor inconsistency: SKILL.md and registry list version 2.0.0 while meta.json/_meta.json show 1.1.x.
Instruction Scope
SKILL.md is an instruction-only skill that defines interfaces and QA processes; the included checker script scans files under a supplied skill_path (rglob('*')) for sensitive patterns and dangerous-code patterns. That scanning behavior is expected for a quality gate but means the tool will read all files under the target path — run it only on intended directories. The SKILL.md does not instruct network exfiltration or access to unrelated credential sources.
Install Mechanism
No install spec or remote downloads; code is delivered as-is in the repo (instruction-only plus a local Python tool). No package manager or external fetches were declared, which is low-risk.
Credentials
The skill requires no environment variables or credentials. The quality checker looks for common secret patterns in files (to warn) but does not request or require secrets — this is proportionate to a security/quality scanner.
Persistence & Privilege
always:false and model invocation allowed (platform default). The skill declares mcp permissions [sessions_send, subagents], which enable sending session messages and spawning subagents — a legitimately useful capability for cross-agent coordination in a CQO role but a higher-privilege action. Because always is false and there is no install-time persistence, this is not inherently malicious but should be reviewed and limited if unnecessary.
Assessment
This skill appears to do what it says: a CQO guide plus a local quality-gate checker script. Before installing or running: 1) Note the version mismatch between SKILL.md (v2.0.0) and meta.json (v1.1.x) — ask the publisher to reconcile versions. 2) Review the mcp permissions (sessions_send, subagents); if you don't want the skill to spawn subagents or send sessions, remove or restrict that permission. 3) Run the quality_gate_checker only on directories you intend it to scan (it reads all files under the provided path and will flag any secrets it finds). 4) Because the checker looks for patterns like eval/exec and API keys, verify its output and ensure it does not get sent to external endpoints (the skill declares no network access). If you need higher assurance, request the publisher provide a signed release or run the checker in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
ai-companyvk97dp4vrxexaxq0xj5eweyb40184nhnhc-suitevk97dp4vrxexaxq0xj5eweyb40184nhnhcqovk97dp4vrxexaxq0xj5eweyb40184nhnhlatestvk976d8rarydqaf4z1nm71z7vwd84t28yqualityvk97aq44ths9bwp7w6rhyh16awn84nfbwtestingvk97aq44ths9bwp7w6rhyh16awn84nfbw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.