Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
design-doc-generator
v1.0.0根据前后端项目代码 + 前端页面,生成标准模块设计文档(Word .docx)。激活时机:(1) 用户要求整理/生成某个模块的设计文档,(2) 用户要求输出功能设计、表结构、流程说明等技术文档,(3) 用户提到"设计文档"、"模块文档"、"技术文档"。
⭐ 0· 93·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (generate design docs from front/backend code + pages) aligns with the SKILL.md and the included Python script template which builds a .docx from code-derived metadata and screenshots. Requested artifacts (code paths, page URLs) are appropriate for the stated goal.
Instruction Scope
Instructions require deeply reading front and backend code, extracting fields/annotations, and using an agent-browser to visit pages and take screenshots. This is within scope, but the SKILL.md explicitly instructs the agent to ask the user for login info (tenant/username/password) if pages require authentication, and to read arbitrary project files — both of which can expose sensitive data if the user supplies production credentials or the repository contains secrets.
Install Mechanism
No install spec; instruction-only with a local Python script template. The script depends on python-docx (not packaged here) which is reasonable and expected.
Credentials
The skill declares no env vars/credentials, but runtime instructions tell the agent to prompt for site login credentials when needed. Requesting credentials interactively is coherent with purpose, but the skill does not document how credentials are stored/used — so users should avoid providing production secrets and prefer temporary/test accounts.
Persistence & Privilege
always:false and no install actions; the skill does not request permanent platform presence or modify other skill settings. It writes outputs/screenshots to local filesystem as part of normal operation.
Assessment
This skill is coherent for generating design-docx from code and pages, but review and limit sensitive access before use. Key points:
- The agent will read your front/backend project files; these may contain secrets (DB credentials, API keys). Only point it at a repository or copy you trust.
- If pages require login, the skill asks you to provide tenant/username/password interactively — use a test account, not production credentials, and confirm how/where credentials are used/stored.
- The included Python script has a hard-coded example BASE path (C:\Users\liuchao25\...) — change it to an appropriate output directory to avoid writing into unexpected locations.
- You must have python-docx available in the execution environment to run the script. The skill does not perform network calls or include hidden endpoints in the provided files.
- If you need stronger assurances, request that the skill run on an isolated environment or provide a sanitized copy of the codebase and test credentials before invoking it.Like a lobster shell, security has layers — review code before you run it.
latestvk979dh35cpeaszxn0mstdr570n83qzf3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.