ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

知心测试助手

v1.0.0

Write and run tests with frameworks like Vitest, Jest, pytest, XCTest, and Playwright for unit, integration, and E2E testing in multiple languages.

0· 19·0 current·0 all-time
by@690566155-blip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md provides practical commands and examples for Vitest, Jest, pytest, XCTest, and Playwright, which matches the skill name and description. No extra unrelated capabilities are requested in the instructions or manifest.
Instruction Scope
The instructions are generally scoped to writing/running tests and do not ask to read system files or transmit data to unexpected endpoints. However, the SKILL.md assumes presence of tools (npm/npx, python/pytest, swift, Node) but the skill declares no required binaries. There are minor mistakes (e.g., 'uv pip install pytest...' appears to be a typo). Playwright instructions will download browsers (npx playwright install) from upstream servers — normal for Playwright but worth being aware of.
Install Mechanism
There is no install spec and no code files. This is an instruction-only skill, so nothing will be written to disk by the skill package itself. Risk from arbitrary installs is low — however following its commands (npm install, npx, pytest, swift test) will install packages/tools if you run them.
Credentials
The skill declares no environment variables, credentials, or config paths and the instructions do not reference secrets or unrelated environment variables.
Persistence & Privilege
always is false and the skill does not request persistent system presence. It does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to be a helpful, instruction-only test-runner guide, but review before running the commands: 1) Verify the publisher/metadata — the provided _meta.json differs from the registry metadata (ownerId and slug mismatch); that inconsistency could be an innocuous bookkeeping error but is worth confirming. 2) The SKILL.md assumes tools (node/npm/npx, Python/pytest, Swift, Playwright) but the skill did not declare required binaries — ensure those tools are present and trustworthy before running install commands. 3) There is a typo ('uv pip install...') — double-check commands before copy/paste. 4) Running npx playwright install will download browser binaries from Playwright servers — run such commands in a sandbox/container or CI runner if you need to limit network/filesystem exposure. 5) Prefer to inspect any package versions you install (package.json, pip deps) and run installs in an isolated environment. If you cannot verify the publisher or metadata, treat the skill as untrusted and avoid executing its install/run commands on sensitive hosts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b6wdwf2m9w9rqcest69km3d851mpe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments