python-dev
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a documentation-only Python tooling setup skill; it suggests local install, formatting, and cleanup commands, but the provided artifacts do not show hidden code, credential use, or data exfiltration.
This skill appears safe to use as a Python project setup guide. Before running its commands, make sure you are inside the intended project, keep changes under version control, review generated `pyproject.toml`, `Justfile`, and `.pre-commit-config.yaml`, and be aware that `just check`/pre-commit may auto-format files. The reviewed artifacts do not justify providing wallets, payment access, or sensitive credentials.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the suggested recipes may change source formatting or remove generated artifacts in the current project.
The recommended Justfile runs local CLI tools that can edit project files and delete common build/cache directories. This is disclosed and aligned with Python development, but users should know it mutates the working tree.
check:
uv run ty check
uv run ruff check --fix && uv run ruff format
...
clean:
rm -rf dist/ build/ .pytest_cache/ .ruff_cache/ htmlcov/Run these commands in the intended project directory, preferably under version control, and review diffs after auto-fix or format steps.
Installing the stack will download and run third-party development tools in the project environment.
The setup depends on external packages and GitHub-hosted pre-commit hooks. This is normal for the stated purpose and versions are disclosed, but it is still a supply-chain dependency users should trust.
uv add --dev ruff ty pytest pytest-asyncio pre-commit ... repo: https://github.com/pre-commit/pre-commit-hooks rev: v6.0.0 ... repo: https://github.com/astral-sh/ruff-pre-commit rev: v0.15.12
Review dependency sources, keep the lockfile, and use trusted package indexes and pinned hook versions.
After installation, configured hooks may automatically lint or format files during Git commits.
Installing pre-commit creates a project Git hook that continues to run on future commits. This is a normal, user-directed development workflow rather than hidden persistence.
Then run: `uv run pre-commit install`
Only install hooks in repositories where you want that behavior, and review `.pre-commit-config.yaml` before enabling it.
Users may be confused by unrelated high-risk labels and should not provide wallets, payment authority, or secrets for this skill based on the reviewed docs.
The high-risk capability signals do not match the reviewed instruction-only Python tooling content or the credential declarations. This looks like a metadata ambiguity rather than evidence that the skill uses wallets, purchases, or credentials.
Capability signals: crypto; requires-wallet; can-make-purchases; requires-sensitive-credentials ... Primary credential: none ... Required env vars: none
The publisher should correct the capability signals; users should grant no extra credentials unless a specific, user-chosen project task requires them.