v1.0.1

multi-role

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:47 AM.

Analysis

This is mostly a coherent workflow skill, but it delegates broad tool access to sub-agents, keeps persistent task memory, and makes a file-access promise that does not match its documented coding workflows.

GuidanceInstall only if you are comfortable with a governance skill that can coordinate coding/testing work and persistent project memory. Set clear project boundaries, ask it to confirm before running commands or changing files, and review the sessions, logs, archives, and shared metrics file regularly.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

每次回复前必须先读 `OUTPUT-RULES.md`，再输出任何内容。这是最高优先级规则。

The skill tells the agent to treat its own output file as a highest-priority rule and to read it before replying, which can override normal user-preferred response style or force extra tool use.

User impactThe assistant may prioritize the skill’s response format over detailed explanations unless you explicitly ask for details.

RecommendationTreat these as style instructions only; do not let them override system rules, user requests for transparency, or safety checks.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

在同一条消息中发出多个 Task 工具调用...它们会并发执行，每个任务拥有完整的工具权限。

The skill authorizes parallel sub-agent execution where each task has full tool permissions, increasing the impact of mistakes or ambiguous instructions.

User impactMultiple delegated agents could read, write, run, or modify workspace files at the same time if the host tools allow it.

RecommendationBefore installing, require explicit approval for code changes, command execution, deletion, publishing, or other high-impact actions; limit sub-agent permissions where possible.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

README.md

不会访问 Skill 目录以外的任何位置...所有写入操作均限定在本 Skill 目录内。

This strong file-access claim is hard to reconcile with the included development and logging workflows that describe coding work, running validation, and paths such as project logs and governance logs.

User impactA user may install it believing it only touches the skill folder, while the documented workflows can lead the agent into broader project files and logs.

RecommendationClarify the real file boundary: whether it only writes session memory, or whether it may read, run, and modify user project files during development tasks.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

references/rules/记忆管理规范.md

项目记忆 > 角色记忆 > 系统记忆...context.md / decisions.md / pitfalls.md...archives/ 下的所有归档文件 永不淘汰

The skill creates and reuses persistent project, role, and system memory, including archives that are never automatically removed.

User impactProject details, decisions, bug histories, and mistakes may persist and influence future tasks.

RecommendationDo not store secrets in session or log files; periodically review and prune memory, archives, and task logs.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

SKILL-VALUE-REPORT-SPEC.md

每个 Skill 任务完成后，向共享指标文件追加一条结构化记录...聚合层...读取这些记录，过滤并渲染摘要...should_display 由各 Skill 自行判断

Other skills can write to a shared metrics file that this skill later reads and renders, but the artifacts do not document origin validation or sanitization.

User impactAnother skill could place misleading or untrusted text into summaries that this skill displays.

RecommendationValidate the source and schema of metrics records, escape or summarize untrusted fields, and make cross-skill reporting opt-in.