Auto Prodcution
Security checks across malware telemetry and agentic risk
Overview
This skill is for automated code hardening, but it asks the agent to run commands, edit and commit project files, and loop without confirmation.
Use this only in a trusted repository, preferably on a new branch with a clean working tree. Review commands before they run, require approval before edits and commits, and do not treat the generated production-readiness score as a substitute for human review or external security testing.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make and commit many code changes the user has not reviewed, including unrelated files picked up by git add -A.
The workflow tells the agent to modify code, stage all changes, commit them, and avoid asking for continuation approval. That is broad mutation authority over the current repository.
实施修复(修改代码);每完成一个子问题立即 commit:`git add -A && git commit -m ...` ... 不要询问「是否继续」「是否proceed」,直接执行
Require explicit user approval before applying edits and before each commit; avoid git add -A, work on a dedicated branch, and limit changes to user-approved files or tasks.
Running tests, scripts, or README commands can change the local environment, access local files, start services, or execute repository-defined code.
The skill instructs automatic execution of local project commands and README setup flows. In an untrusted or unfamiliar repository, those commands may run arbitrary project code.
先运行该维度的检测命令 ... `go test -cover ./...` / `jest --coverage` ... 执行 README Quick Start
Run only in trusted repositories or a sandbox, inspect package scripts and README commands first, and ask the user before executing project-defined commands.
A mistaken score, bad repair, or failing command could propagate through many files and commits before the user notices.
The loop can continue across multiple dimensions and commits until thresholds are reached, with no overall iteration cap or required review checkpoint.
未满足 → 回到第二步 ... 自动打分、修复、循环直到满足生产就绪阈值
Add iteration limits, stop after each dimension for user review, require a clean working tree, and provide rollback guidance.
If the scorecard is stale, inaccurate, or edited by someone else, future runs may prioritize the wrong work.
The skill stores and reuses project state in VIBE_SCORECARD.md across invocations. This is disclosed and purpose-aligned, but the file can influence future behavior.
如果已存在,读取它,继续迭代 ... 自动读取 `VIBE_SCORECARD.md` 从断点接着跑
Review VIBE_SCORECARD.md before rerunning the skill and avoid placing secrets or sensitive operational details in it.