coding-agent-common
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only coding skill is purpose-aligned, but it recommends running external coding agents in auto-approved or permission-bypassing modes and as background jobs that can change projects without step-by-step review.
Install only if you are comfortable letting external coding CLIs operate on a clearly chosen project directory. Prefer temporary worktrees, avoid yolo-style modes, review plans and diffs before accepting changes, and be especially careful before running push, PR, install, or long-running background workflows.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A coding agent could edit files, run commands, or make broad project changes before the user reviews each step.
The skill recommends running coding agents with permission bypass or automatic approval modes, which can let those agents modify the workspace without per-action confirmation.
exec workdir:/path/to/project command:"claude --permission-mode bypassPermissions --print '添加错误处理到 API 调用'" ... codex exec --full-auto
Use least-privilege modes when possible, require an explicit plan and diff review before applying changes, and reserve bypass/full-auto modes for trusted repositories and clearly scoped tasks.
A delegated coding task can continue running after the immediate response, consuming resources or continuing to change files until monitored or stopped.
The skill intentionally supports background coding-agent sessions; it also documents monitoring and kill commands, so this is disclosed but still important for users to notice.
exec pty:true workdir:/path/to/project background:true command:"codex exec --full-auto '重构认证模块'"
Track session IDs, check logs regularly, run background agents in isolated worktrees or temporary directories, and kill sessions that are no longer needed.
Branches or pull requests may be created under the user's account in the configured remote repository.
This workflow can act through the user's git remote and GitHub CLI identity to push branches and create PRs. It is purpose-aligned, but it uses account-level authority if run.
exec workdir:/tmp/issue-78 command:"git push -u origin fix/issue-78 && gh pr create --title 'fix: ...' --body '...'"
Confirm the repository, remote, branch name, and authenticated GitHub account before running push or PR commands, and review generated changes first.
Incorrect generated changes could spread into multiple branches or review workflows if the user runs the parallel examples without careful review.
The documented parallel worktree workflow can install dependencies and run multiple autonomous coding agents. This is aligned with the skill purpose, but mistakes can propagate across branches or PRs.
exec pty:true workdir:/tmp/issue-78 background:true command:"pnpm install && codex exec --full-auto '修复 issue #78'"
Keep each task isolated, run tests, review diffs manually, and merge or publish only after human approval.