Back to skill
Skillv1.0.0
ClawScan security
VibeCoding AI编程工作流 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 4:03 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- This is an instruction-only AI programming workflow guide that does not request credentials, install software, or instruct the agent to access system files—its declared requirements line up with its stated purpose.
- Guidance
- This skill appears to be a content-only workflow guide and is internally consistent with its description. Before installing or enabling it for autonomous use, review the full SKILL.md (including the truncated portion) to confirm there are no hidden steps that run shell commands, request API keys/tokens, or post data to external endpoints. If you plan to let an agent invoke the skill autonomously, test it in a limited/isolated environment first and avoid granting unrelated credentials. If you see any instructions asking for secrets, local file reads, or downloads from untrusted URLs, treat that as a red flag.
Review Dimensions
- Purpose & Capability
- okThe name/description (VibeCoding workflow and coding templates) matches the content: the SKILL.md provides process steps, templates, and examples for generating and testing code. No unexpected binaries, env vars, or external services are declared.
- Instruction Scope
- okThe runtime instructions are process-oriented: requirement templates, test-first workflow, iteration prompts, and examples. There are no explicit commands, system paths, or references to reading local files or secret env vars in the provided text. (Note: the SKILL.md snippet shown is truncated at the end; the visible portion contains only benign workflow guidance.)
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, so nothing will be written to disk or downloaded during install.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The documented workflows reference common development tools conceptually (VS Code, GitHub Copilot) but do not request tokens or secrets.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. It does not attempt to modify other skills or system-level configurations in the visible instructions.