ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DocSync

v1.0.1

Generate and auto-sync documentation from code with git hooks; detect and fix doc drift using tree-sitter parsing and semantic diffs locally.

0· 790·2 current·2 all-time
by@suhteevah
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (generate docs, detect drift, install git hooks) matches the requested binaries (git, bash) and the three brew installs (lefthook, tree-sitter, difftastic). One inconsistency: the registry metadata at top reported 'Required env vars: none' while the skill declares a primary credential DOCSYNC_LICENSE_KEY — the license is used to gate Pro/Team features. Otherwise required binaries and install formulas are appropriate for the claimed functionality.
Instruction Scope
SKILL.md and the scripts stay within the stated scope: local analysis (tree-sitter or regex), doc generation, drift reports, and git hook installation. Important runtime behaviors to be aware of: the hooks-install flow copies/merges a lefthook.yml into the repository root and runs lefthook install; the pre-commit hook will parse staged source files and can block commits on 'critical' drift. The skill reads ~/.openclaw/openclaw.json for an apiKey and sources its own scripts from the installed skill directory; it does not perform external network calls according to the code.
Install Mechanism
Install spec uses Homebrew formulas for well-known tools: lefthook, tree-sitter, and difftastic. No arbitrary downloads or URL-based installers are used in the provided files. This is proportional and traceable.
Credentials
The only credential the skill uses is DOCSYNC_LICENSE_KEY (primaryEnv) to unlock Pro/Team features; this is appropriate. Two small points: (1) the registry summary listed 'Required env vars: none' which contradicts the primary credential declaration, and (2) license.sh will read the user's ~/.openclaw/openclaw.json (if present) to look up the apiKey — it only extracts a specific field but does read that config file locally. No unrelated credentials or network-based secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated system privileges. However, it does modify a repository's files: it will create or merge a lefthook.yml in the repo root and run lefthook install to add pre-commit hooks. Those hooks can block commits (unless skipped) and will run the skill's drift checks on staged files — this is expected behavior for a git-hook-based tool but is a persistent change to repositories the user opts into.
Assessment
DocSync appears to be what it says: a local doc generator and drift detector that uses lefthook/tree-sitter/difftastic. Before installing: 1) Note that Pro/Team features require a license key (DOCSYNC_LICENSE_KEY) — registry metadata omitted this, so if you rely on the registry summary, set the env or add the apiKey to ~/.openclaw/openclaw.json as documented. 2) Installing hooks will create/merge a lefthook.yml in your repository and run lefthook install; this will add a pre-commit hook that can block commits. Back up any existing lefthook.yml before install if you have custom hooks. 3) The license check is performed offline and decodes the JWT payload without cryptographic signature verification; this is a design tradeoff for offline use (it affects licensing enforcement, not data exfiltration). 4) The skill reads your ~/.openclaw/openclaw.json (local config) to find a stored apiKey; ensure that file is correct and trustworthy. 5) Review the provided scripts (they are plain Bash) if you want to be certain; no network calls or obfuscated code were found in the source. If you want stronger guarantees, run the code in a test repository first to observe the hook behavior and outputs.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📖 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash
Primary envDOCSYNC_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook
Install tree-sitter (code parser)
Bins: tree-sitter
brew install tree-sitter
Install difftastic (semantic diff)
Bins: difft
brew install difftastic
latestvk97am9ajp26xzfyv2nc7g8fm3h814dze
790downloads
0stars
2versions
Updated 6h ago
v1.0.1
MIT-0
macOS, Linux, Windows
@suhteevah
latest
Download

DocSync — Living Documentation for Your Codebase

DocSync generates documentation from your code and keeps it in sync automatically. It uses tree-sitter for multi-language AST parsing, lefthook for git hook integration, and difftastic for semantic change detection.

Commands

Free Tier (No license required)

docsync generate <file-or-directory>

Generate a one-shot README or API doc for a single file or directory.

How to execute:

bash "<SKILL_DIR>/scripts/docsync.sh" generate <target>

What it does:

  1. Parses the target file(s) with tree-sitter to extract symbols (functions, classes, exports, types, interfaces)
  2. Applies the appropriate template from <SKILL_DIR>/templates/
  3. Generates a markdown documentation file alongside the source

Example usage scenarios:

  • "Generate docs for src/utils/auth.ts" → runs docsync generate src/utils/auth.ts
  • "Document this whole directory" → runs docsync generate src/api/
  • "Create a README for this project" → runs docsync generate .

Pro Tier ($29/user/month — requires DOCSYNC_LICENSE_KEY)

docsync drift [directory]

Scan for documentation drift — find where code has changed but docs haven't been updated.

How to execute:

bash "<SKILL_DIR>/scripts/docsync.sh" drift [directory]

What it does:

  1. Validates license key from config
  2. Parses all source files with tree-sitter
  3. Compares extracted symbols against existing documentation
  4. Reports: new undocumented symbols, changed signatures with stale docs, deleted symbols still in docs
  5. Outputs a drift report with severity levels (critical/warning/info)

docsync hooks install

Install git hooks that automatically check for doc drift on every commit.

How to execute:

bash "<SKILL_DIR>/scripts/docsync.sh" hooks install

What it does:

  1. Validates Pro+ license
  2. Copies lefthook config to project root
  3. Installs lefthook pre-commit hook
  4. On every commit: analyzes staged files, blocks commit if critical drift detected, offers auto-regen

docsync hooks uninstall

Remove DocSync git hooks.

bash "<SKILL_DIR>/scripts/docsync.sh" hooks uninstall

docsync auto-fix [directory]

Auto-regenerate stale documentation for files with detected drift.

bash "<SKILL_DIR>/scripts/docsync.sh" auto-fix [directory]

Team Tier ($49/user/month — requires DOCSYNC_LICENSE_KEY with team tier)

docsync onboarding [directory]

Generate a comprehensive onboarding guide for new developers.

bash "<SKILL_DIR>/scripts/docsync.sh" onboarding [directory]

docsync architecture [directory]

Generate architecture documentation showing module relationships and data flow.

bash "<SKILL_DIR>/scripts/docsync.sh" architecture [directory]

Supported Languages

DocSync uses tree-sitter grammars and supports:

  • JavaScript / TypeScript (including JSX/TSX)
  • Python
  • Rust
  • Go
  • Java
  • C / C++
  • Ruby
  • PHP
  • C#
  • Swift
  • Kotlin

Configuration

Users can configure DocSync in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "docsync": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "outputDir": "docs",
          "templateOverrides": {},
          "excludePatterns": ["**/node_modules/**", "**/dist/**", "**/.git/**"],
          "languages": ["typescript", "python", "go"],
          "driftThreshold": "warning",
          "autoFix": false
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately with no configuration
  • Pro/Team tiers require a license key from https://docsync.pages.dev
  • All processing happens locally — no code is sent to external servers
  • License validation is offline — no network calls needed
  • Git hooks use lefthook which must be installed (see install metadata above)
  • tree-sitter and difftastic are optional but recommended for best results; the skill falls back to regex-based parsing if unavailable

Error Handling

  • If tree-sitter is not installed, fall back to regex-based symbol extraction (less accurate but functional)
  • If lefthook is not installed and user tries hooks install, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://docsync.pages.dev/renew
  • If a language grammar is not available, skip that file with a warning

When to Use DocSync

The user might say things like:

  • "Generate docs for this file/project"
  • "Are my docs up to date?"
  • "Check for documentation drift"
  • "Set up auto-docs on my commits"
  • "Create an onboarding guide"
  • "Document the architecture"
  • "What's undocumented in this codebase?"

Comments

Loading comments...