ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DocSync

v1.0.1

Generate and auto-sync documentation from code with git hooks; detect and fix doc drift using tree-sitter parsing and semantic diffs locally.

0· 773·2 current·2 all-time
by@suhteevah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (generate docs, detect drift, install git hooks) matches the requested binaries (git, bash) and the three brew installs (lefthook, tree-sitter, difftastic). One inconsistency: the registry metadata at top reported 'Required env vars: none' while the skill declares a primary credential DOCSYNC_LICENSE_KEY — the license is used to gate Pro/Team features. Otherwise required binaries and install formulas are appropriate for the claimed functionality.
Instruction Scope
SKILL.md and the scripts stay within the stated scope: local analysis (tree-sitter or regex), doc generation, drift reports, and git hook installation. Important runtime behaviors to be aware of: the hooks-install flow copies/merges a lefthook.yml into the repository root and runs lefthook install; the pre-commit hook will parse staged source files and can block commits on 'critical' drift. The skill reads ~/.openclaw/openclaw.json for an apiKey and sources its own scripts from the installed skill directory; it does not perform external network calls according to the code.
Install Mechanism
Install spec uses Homebrew formulas for well-known tools: lefthook, tree-sitter, and difftastic. No arbitrary downloads or URL-based installers are used in the provided files. This is proportional and traceable.
Credentials
The only credential the skill uses is DOCSYNC_LICENSE_KEY (primaryEnv) to unlock Pro/Team features; this is appropriate. Two small points: (1) the registry summary listed 'Required env vars: none' which contradicts the primary credential declaration, and (2) license.sh will read the user's ~/.openclaw/openclaw.json (if present) to look up the apiKey — it only extracts a specific field but does read that config file locally. No unrelated credentials or network-based secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated system privileges. However, it does modify a repository's files: it will create or merge a lefthook.yml in the repo root and run lefthook install to add pre-commit hooks. Those hooks can block commits (unless skipped) and will run the skill's drift checks on staged files — this is expected behavior for a git-hook-based tool but is a persistent change to repositories the user opts into.
Assessment
DocSync appears to be what it says: a local doc generator and drift detector that uses lefthook/tree-sitter/difftastic. Before installing: 1) Note that Pro/Team features require a license key (DOCSYNC_LICENSE_KEY) — registry metadata omitted this, so if you rely on the registry summary, set the env or add the apiKey to ~/.openclaw/openclaw.json as documented. 2) Installing hooks will create/merge a lefthook.yml in your repository and run lefthook install; this will add a pre-commit hook that can block commits. Back up any existing lefthook.yml before install if you have custom hooks. 3) The license check is performed offline and decodes the JWT payload without cryptographic signature verification; this is a design tradeoff for offline use (it affects licensing enforcement, not data exfiltration). 4) The skill reads your ~/.openclaw/openclaw.json (local config) to find a stored apiKey; ensure that file is correct and trustworthy. 5) Review the provided scripts (they are plain Bash) if you want to be certain; no network calls or obfuscated code were found in the source. If you want stronger guarantees, run the code in a test repository first to observe the hook behavior and outputs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97am9ajp26xzfyv2nc7g8fm3h814dze

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📖 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash
Primary envDOCSYNC_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook
Install tree-sitter (code parser)
Bins: tree-sitter
brew install tree-sitter
Install difftastic (semantic diff)
Bins: difft
brew install difftastic

Comments