Sen Dev Patterns
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a personal development-pattern library, but it also includes publishing scripts that discover GitHub/Gitee credentials and can push the package to public repositories.
The reference documents themselves appear broadly purpose-aligned, but do not run the publishing scripts unless you intend to publish this repository and understand the token scope. Prefer removing or isolating publish_skill.py and publish_gitee.py for normal use, and use fresh least-privilege tokens rather than local stored credentials.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this script is run, it may use an existing GitHub credential from the user's machine to act on their GitHub account without the user explicitly pasting a token for that run.
The script does not only use an explicitly supplied token; it searches local VSCode GitHub auth storage and git credential storage for account credentials. This is not declared in the skill requirements, which list no required credentials.
paths = [os.path.expandvars(r"%APPDATA%\Code\User\globalStorage\github-auth-token")] ... subprocess.run(['git', 'credential', 'fill'], input='protocol=https\nhost=github.com\n\n', ...)
Require an explicit, least-privilege token for publishing, declare the credential requirement in metadata, and remove automatic probing of IDE or git credential stores unless the user clearly opts in.
Running the helper could publicly publish repository contents or change the user's GitHub account state.
The script can create a public GitHub repository and push the current repository contents. Publishing is high-impact and broader than the skill's primary role as a personal development-pattern reference.
data = {'name': repo_name, 'description': description, 'private': False, 'auto_init': False} ... requests.post(f'{GITHUB_API}/user/repos', headers=headers, json=data) ... subprocess.run(['git', 'push', '-u', 'origin', 'master'], ...)Add an explicit confirmation step before creating public repositories or pushing content, document exactly what will be published, and keep publishing helpers separate from the installed skill if ordinary users do not need them.
A Gitee token may remain stored in the local repository configuration after publishing.
The Gitee publisher embeds the access token directly into the git remote URL, which can persist in local git configuration and be exposed through later git tooling or logs.
remote_url = f'https://the13ai:{token}@gitee.com/the13ai/{REPO_NAME}.git' ... subprocess.run(['git', 'remote', 'set-url', 'gitee', remote_url], check=True)Use a credential manager or token prompt instead of embedding tokens in remotes, and document cleanup steps such as resetting the remote URL after publishing.