Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Auto Prodcution
v1.0.0用「评分表驱动迭代」方法把项目做到生产级别。每次输入 /vibe-coding 启动,自动打分、修复、循环直到满足生产就绪阈值。
⭐ 0· 13·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the runtime instructions: reading the repo, evaluating dimensions, making fixes, and committing changes is coherent with an 'auto production' workflow. However, the SKILL.md expects many CLI scanners and git to be present (semgrep, trivy, govulncheck, npm/pip-audit, gocyclo, etc.) but the skill metadata declares no required binaries — the skill will fail or behave unpredictably if those tools are missing.
Instruction Scope
The instructions explicitly tell the agent to modify repository files and run 'git add -A && git commit ...' for every sub-fix and to 'directly execute' without asking for confirmation. That gives the skill authority to make persistent, potentially large changes to user code without explicit consent per change. The skill also instructs scanning for secrets and running security tools on the whole repo (which is expected) but does not constrain what to do with discovered secrets or results — this increases risk of accidental disclosure or destructive automated edits.
Install Mechanism
No install spec and no code files are present (instruction-only), which minimizes supply-chain risk. There is no download or extract step. The main practical issue is that required third-party tools are referenced in SKILL.md but not declared as dependencies.
Credentials
The skill requests no environment variables or credentials, which is proportionate to its stated purpose. Nonetheless, running the recommended scanners will read all repository files (which may contain secrets) and the skill makes no guidance about handling or protecting any sensitive findings it uncovers.
Persistence & Privilege
Although always:false and there is no special platform privilege, the skill directs automatic, repeated commits into the user's repository and instructs the agent not to ask 'whether to proceed' before making changes. That persistent modification behavior is powerful and risky — it can alter source history, introduce regressions, or leak sensitive data in commits if used without safeguards.
What to consider before installing
This skill is coherent with its stated purpose but has two practical risks you should consider before installing or running it: (1) It will automatically modify and commit files in your repo without per-change confirmation. Run it only on a fork/branch or a disposable clone, or modify the workflow to produce diffs for human review instead of committing. (2) It expects many external CLI tools (semgrep, trivy, govulncheck, npm/pip-audit, gocyclo, etc.) but does not declare them; ensure these are installed in a controlled environment. Additional precautions: back up your repo, run in a sandbox or CI job with limited permissions, review the VIBE_SCORECARD.md and every proposed commit before merging, and avoid running this on repositories that contain secrets or production credentials. If you want safer operation, require interactive confirmation before commits or change commit commands to create branches/PRs instead of direct commits.Like a lobster shell, security has layers — review code before you run it.
latestvk9767zb9vsjgw9v8hq35z5fwb584bgk2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.