ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BugPack

v1.0.2

BugPack - AI-powered bug tracking and fixing toolkit. List bugs, view bug details with screenshots, and fix bugs automatically. Includes three workflows: lis...

0· 156·0 current·0 all-time
by@duhuazhu
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (BugPack, local bug tracking + fixing) aligns with the instructions to call a local server (http://localhost:3456) and to list/view/fix bugs. However, the stated capability inherently requires access to the local codebase and filesystem, which the skill does not explicitly declare or limit.
!
Instruction Scope
SKILL.md tells the agent to run or rely on a local BugPack server (npx bugpack-mcp) and to use 'relatedFiles' or 'pagePath' to locate relevant source code, then 'apply fix: edit source code' and mark bugs as fixed. Those instructions require reading and writing arbitrary local files and interpreting paths provided by the server — potentially exposing secrets or modifying sensitive files. The instructions do not constrain which files may be touched, nor require explicit user review before edits.
!
Install Mechanism
No install spec in the skill package, but the SKILL.md explicitly instructs starting the server with 'npx bugpack-mcp'. npx will fetch and execute a package from the npm registry (network download + run), which is equivalent to running arbitrary third-party code on the machine. That is a high-risk operation and is not vetted or sandboxed by the skill.
!
Credentials
The skill declares no required env vars or config paths, but runtime behavior (reading 'relatedFiles', screenshots, environment, and modifying source files) implies access to arbitrary local filesystem paths and project data. The lack of declared required permissions or explicit limitations makes the requested access disproportionate and opaque.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not declare changing other skills' configs. However, because it enables autonomous actions (normal default) combined with instructions to edit local code and to run an npm package, the potential blast radius is larger — consider restricting autonomous execution or requiring manual confirmation for file changes.
What to consider before installing
This skill appears to do what it says, but it relies on running 'npx bugpack-mcp' (which downloads and runs code from npm) and instructs the agent to locate and edit local source files. Before using it: 1) Inspect the 'bugpack-mcp' package source (do not run npx blindly); 2) Run the server in a sandboxed or disposable environment (container / dedicated VM) if you must; 3) Backup your repository and enable version control protection (review edits as PRs, require human approval) so automated fixes cannot overwrite important files; 4) Confirm that 'relatedFiles' paths cannot point at secrets or system files; 5) Prefer disabling autonomous edits — require the agent to produce patch suggestions for manual review rather than applying changes automatically. If you cannot audit the npm package or are uncomfortable with file-system edits, do not enable this skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📦 Clawdis
latestvk97ehjcphvh5rh9ws9bjm8men18358b6
156downloads
0stars
1versions
Updated 3h ago
v1.0.2
MIT-0
@duhuazhu
latest
Download

BugPack

AI-powered bug tracking and fixing toolkit. List, view, and fix bugs from BugPack.

Prerequisites

Start BugPack server first:

npx bugpack-mcp

Skill 1: List Bugs

Query all tracked bugs with optional filtering.

Instructions

  1. Call GET http://localhost:3456/api/bugs to fetch all bugs.
    • Optional: ?project_id=<id> to filter by project.
  2. Each bug has: id, title, description, status, priority, project_id, created_at.
  3. Present results grouped by status (pending / fixed / closed).

Example

GET http://localhost:3456/api/bugs

Skill 2: View Bug Details

Fetch full bug context including screenshots, environment, and related files.

Instructions

  1. Call GET http://localhost:3456/api/bugs/:id for full details.
  2. Response includes: title, description, status, priority, pagePath, device, browser, relatedFiles, screenshots.
  3. Use relatedFiles to locate relevant source code.
  4. Screenshots have original_path and annotated_path.

Example

GET http://localhost:3456/api/bugs/abc-123

Skill 3: Fix Bug

Read bug context, locate code, apply fix, and update status.

Instructions

  1. Get context: GET http://localhost:3456/api/bugs/:id
  2. Analyze: Read description and examine screenshots.
  3. Locate code: Use relatedFiles or search by pagePath and description.
  4. Apply fix: Edit source code following project conventions.
  5. Mark fixed: PATCH http://localhost:3456/api/bugs/:id with { "status": "fixed" }
  6. Add note (optional): Update description to document what was changed.

Example

# Get bug context
GET http://localhost:3456/api/bugs/abc-123

# Mark as fixed
PATCH http://localhost:3456/api/bugs/abc-123
Content-Type: application/json

{ "status": "fixed" }

Comments

Loading comments...