v1.0.1

Architect Engineer — World-Class AI Build System

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:58 AM.

Analysis

This instruction-only coding skill is broadly on-topic, but it includes aggressive autonomous-use instructions, immediate git-push guidance, persistent automation patterns, and unsafe API debug logging that should be reviewed before use.

GuidanceReview this skill carefully before installing if your agent can run shell, git, deployment, or API tools. Use it with explicit approval gates for commits, pushes, cron jobs, deployments, and API calls; replace company-specific defaults; and require generated code to redact secrets from logs.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

Use ANY time ... ANY other technical, engineering, or systems-building task ... USE THIS SKILL. Trigger aggressively.

The routing language is unusually broad and can cause the agent to apply this skill to nearly any technical request, even when a user may have wanted a lighter-weight answer.

User impactThe assistant may over-apply this skill and produce larger, more autonomous build plans than the user intended.

RecommendationUse this skill only when broad technical build assistance is desired, and ask the agent to keep scope narrow for small code or documentation tasks.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

COMPANY-INTEGRATION.md

# Always push AgentReach changes immediately after they work
git add -A && git commit -m "feat: description" && git push

This is not just a neutral git reference; it instructs immediate remote pushes and uses `git add -A`, which can publish unintended changes without an explicit review step.

User impactIf followed by an agent with repository access, unintended files or unfinished changes could be committed and pushed to a remote repository.

RecommendationRequire an explicit user approval step before any commit or push, show the diff first, avoid `git add -A` by default, and prefer branches or pull requests over direct pushes.

Rogue Agents

SeverityLowConfidenceHighStatusNote

references/automation-scripting.md

The definitive playbook for cron jobs ... Everything that runs without a human clicking buttons.

The skill intentionally teaches persistent automation patterns such as cron jobs, schedulers, and background work; this is purpose-aligned but can continue operating after the initial task.

User impactGenerated automations may keep running on schedules or in the background if installed, which can create ongoing costs, emails, file changes, or API calls.

RecommendationBefore installing scheduled or background jobs, require explicit user approval, include dry-run mode, document where the job is installed, and provide clear disable/uninstall steps.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

references/debugging.md

logger.debug(f"Params: {params}") ... logger.debug(f"Response headers: {dict(response.headers)}") ... logger.error(f"Request URL: {response.url}")

For API integrations, parameters, headers, and final URLs can contain API keys, OAuth tokens, cookies, or sensitive identifiers; the guidance does not show redaction.

User impactGenerated debugging code could write credentials or private data into logs, making them easier to leak or reuse accidentally.

RecommendationRedact Authorization headers, cookies, API keys, tokens, query strings, and PII before logging; document safe logging defaults in the skill references.