Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Release Prep
v1.0.0Deep code audit + documentation sync + release preparation for Python packages. Use when preparing a release, checking code quality before publishing, auditi...
⭐ 0· 345·0 current·0 all-time
bySergey Morozik@morozsm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md implements a Python package audit/fix/release pipeline (pytest, ruff, mypy, doc checks, changelog, bump/tag/publish). However the skill metadata declares no required binaries or credentials even though the instructions require python, pytest/pytest-cov, ruff, mypy, git and — for 'release' mode — a PyPI token or git push credentials. The omission of those requirements is an inconsistency.
Instruction Scope
Instructions operate on repository files (src/, tests/, pyproject.toml, README.md, CHANGELOG.md) which is appropriate for the stated purpose. The 'fix' and 'release' modes imply automated edits, tagging, and publishing; the SKILL.md does not include explicit safeguards, review steps, or explicit credential handling for publishing.
Install Mechanism
This is an instruction-only skill with no install spec, which is the lowest install risk. It does assume developer tooling is present on PATH rather than installing anything itself.
Credentials
No environment variables or credentials are declared, yet 'release' mode references actions (publish to PyPI, tag/push) that normally require API tokens or git credentials. Also the SKILL.md assumes presence of several CLI tools (python, pytest, ruff, mypy, grep/sed) but none are declared as required binaries.
Persistence & Privilege
always:false, no install, and no persistent system-wide changes are declared by the skill metadata. The skill can be invoked autonomously (default), which increases impact if allowed to run 'release' mode, but that alone is not a misconfiguration.
What to consider before installing
This skill appears to perform exactly the kinds of checks you want for a Python release, but there are important omissions and risks to consider before installing/allowing it to run:
- Tools and dependencies: SKILL.md calls python, pytest (and pytest-cov), ruff, mypy, and standard Unix utilities (grep/sed). The package metadata lists no required binaries — ensure these tools exist in the execution environment before running.
- Automatic fixes and publishing: 'fix' and 'release' modes will modify repository files and may tag/publish packages. Run first in 'audit' mode only, review any suggested fixes, and require manual approval before letting it perform commits, tags, pushes, or PyPI uploads.
- Credentials: publishing to PyPI and pushing tags typically requires a PyPI API token and git credentials. The skill does not declare nor request these; do not provide credentials implicitly. If you enable 'release' features, supply tokens via a secure mechanism and restrict their scope.
- Autonomous invocation: because the agent can be invoked autonomously, avoid granting it unchecked permission to run 'release' mode. Prefer running the skill interactively or in a sandbox/CI environment where you can review changes and control credentials.
If you want to proceed: (1) run in audit mode first, (2) verify tools are installed, (3) review all diffs before accepting fixes, and (4) only provide publish credentials in a controlled, scoped way (e.g., CI secrets, short-lived token).Like a lobster shell, security has layers — review code before you run it.
latestvk979mwrr3gqqp2etw6zfzzhznx825cmh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.