ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Better Ralph

v1.0.0

Run one Better Ralph iteration: pick next incomplete PRD story by priority, implement it, run checks, commit, mark passed, and append progress, using only st...

0· 744·3 current·3 all-time
by@austindixson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (one-iteration PRD-driven implementation) match the runtime instructions: reading prd.json and progress.txt, selecting a story, editing code, running project checks, committing, and updating progress. The skill requests no unrelated credentials, binaries, or config paths.
Instruction Scope
Instructions are explicit and confined to repository-local actions (read/write prd.json and progress.txt, use git, run project quality commands). However, the skill is permitted to run whatever the project's test/lint/typecheck scripts are defined to run — those scripts may execute arbitrary code, access the network, or require environment variables. The guidance to 'implement the story' means the agent will edit repository source files; this is intended but important to be aware of.
Install Mechanism
No install spec or external downloads — instruction-only skill. Nothing is written to disk by an installer and no third-party packages are pulled by the skill itself.
Credentials
Skill declares no environment variables or credentials, which is appropriate. Be aware tests or acceptance criteria may require environment variables, secrets, or service credentials at runtime (not declared by the skill). The skill itself does not request broad credential access.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system-wide privileges or attempt to modify other skills or global agent settings. Its actions are limited to the workspace/git repository as described.
Scan Findings in Context
[NO_SCAN_FINDINGS] expected: No code files present; the regex-based scanner had nothing to analyze. This is expected for an instruction-only skill (behavior is defined in SKILL.md).
Assessment
This skill will modify files in your repository and commit changes automatically after running the project's tests/lints. Before using it: (1) review prd.json and progress.txt so the agent has the right instructions; (2) ensure the project's test/lint scripts are safe to run locally (they can execute arbitrary code or call external services); (3) run the skill in a disposable branch or a sandboxed environment first; (4) if tests require secrets or environment variables, provide them only if you're comfortable (the skill does not request them explicitly); (5) consider invoking it manually the first time to observe behavior rather than enabling autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eka6xezfdjhd1vz4dx4haes8130pt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments