Sen Dev Patterns
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this script is run, it may use an existing GitHub credential from the user's machine to act on their GitHub account without the user explicitly pasting a token for that run.
The script does not only use an explicitly supplied token; it searches local VSCode GitHub auth storage and git credential storage for account credentials. This is not declared in the skill requirements, which list no required credentials.
paths = [os.path.expandvars(r"%APPDATA%\Code\User\globalStorage\github-auth-token")] ... subprocess.run(['git', 'credential', 'fill'], input='protocol=https\nhost=github.com\n\n', ...)
Require an explicit, least-privilege token for publishing, declare the credential requirement in metadata, and remove automatic probing of IDE or git credential stores unless the user clearly opts in.
Running the helper could publicly publish repository contents or change the user's GitHub account state.
The script can create a public GitHub repository and push the current repository contents. Publishing is high-impact and broader than the skill's primary role as a personal development-pattern reference.
data = {'name': repo_name, 'description': description, 'private': False, 'auto_init': False} ... requests.post(f'{GITHUB_API}/user/repos', headers=headers, json=data) ... subprocess.run(['git', 'push', '-u', 'origin', 'master'], ...)Add an explicit confirmation step before creating public repositories or pushing content, document exactly what will be published, and keep publishing helpers separate from the installed skill if ordinary users do not need them.
A Gitee token may remain stored in the local repository configuration after publishing.
The Gitee publisher embeds the access token directly into the git remote URL, which can persist in local git configuration and be exposed through later git tooling or logs.
remote_url = f'https://the13ai:{token}@gitee.com/the13ai/{REPO_NAME}.git' ... subprocess.run(['git', 'remote', 'set-url', 'gitee', remote_url], check=True)Use a credential manager or token prompt instead of embedding tokens in remotes, and document cleanup steps such as resetting the remote URL after publishing.