ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cline Programming

v1.0.6

调用Cline AI编程工具的技能。提供plan-check-act工作流程,先让Cline生成代码规划,检查后执行,支持--verbose参数观察进度。

0· 50·0 current·0 all-time
by庄庭达@touchdeeper
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the content: this is an instruction-only skill that tells the agent how to use the 'cline' CLI to generate (plan), review (check), and execute (act) code. The included test script exercises the same CLI commands. No unrelated binaries, env vars, or installs are requested.
!
Instruction Scope
The SKILL.md instructs use of --yolo (automatic approval) by default for both plan and act steps and shows examples that run plan and then act non-interactively. That grants the Cline CLI permission to execute generated code without manual review. The doc also suggests cat'ing ~/.cline/config.json for debugging which could expose stored API credentials. The 'check' step is described but in practice examples and test script default to auto-approve, reducing the practical safety of the workflow.
Install Mechanism
No install spec is provided (instruction-only). The test script only checks for an existing 'cline' command and directs to install via npm if missing. This is a low-risk, expected pattern for a CLI-invocation skill.
Credentials
The skill requests no environment variables or credentials itself. However, it relies on the user's Cline configuration (~/.cline/config.json or system keychain) which may contain API keys. The skill's instructions encourage viewing that config, which could expose secrets if followed without care. The lack of explicit credential handling is coherent but still presents an implicit secret-access risk.
Persistence & Privilege
always:false and no special privileges requested. The skill is user-invocable and can be called autonomously per platform defaults, which is normal. It does not try to modify other skills or system-wide settings.
What to consider before installing
This skill is a documentation wrapper for the external 'cline' CLI and appears to do what it says, but it repeatedly recommends using the '--yolo' automatic-approval flag which will run generated code without interactive review — this is the primary risk. Before installing or using the skill: 1) Avoid using --yolo for anything beyond trivial, well-audited tasks; always inspect plan-*.md and generated code before running 'act'. 2) Do not 'cat' or share ~/.cline/config.json unless you understand whether it contains API keys; treat such files as secrets. 3) Install the 'cline' CLI only from a trusted source (check the official homepage or the npm package maintainer) — this skill's source/homepage is unknown. 4) Prefer running tests and first-time executions in an isolated environment (container or VM). If you want this skill to be safer, request the author remove default --yolo usage from examples, add explicit warnings, and provide an official source/repo for the Cline CLI used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fg56k067y56ygmr9d59sdrx848qeq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments