Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Audit Verification Pipeline
v1.0.0审计finding三级验收流水线:自身forge test验证 → GitHub CI → 审查员评审。确保提交真实可靠的验证级产出。
⭐ 0· 27·1 current·1 all-time
byzengbao yu@yuzengbaao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and SKILL.md all describe a three-level audit verification pipeline (local Foundry PoC → GitHub CI → human auditor). The steps and artifacts in the instructions are coherent with the stated purpose.
Instruction Scope
Instructions ask humans (or an agent) to read repo source, write Foundry PoC tests, run `forge build`/`forge test`, add a GitHub Actions workflow, and check historical reports. That scope is appropriate for the pipeline, but it assumes access to repository files and the Foundry toolchain — the SKILL.md itself does not declare these runtime dependencies explicitly.
Install Mechanism
Instruction-only skill with no install steps or code files; nothing will be written to disk by the skill package itself. This is low-risk. However, operational steps in SKILL.md rely on external tools (Foundry) that are not installed by the skill.
Credentials
The skill requests no environment variables or credentials, which is appropriate. But the SKILL.md presumes access to the repository and to GitHub CI; if an automated agent were given permissions to run these steps, it could interact with repo contents and CI — the skill metadata does not document those required permissions.
Persistence & Privilege
Skill is not always-on and has no install hooks. It does not request persistent agent-level privileges or modify other skills. Autonomous invocation is allowed (platform default) but the workflow includes an explicit human approval step (level 3).
What to consider before installing
This is primarily a procedural checklist for auditors: it tells you how to write and verify Foundry PoCs, set up a GitHub CI workflow, and perform human review. Before installing or automating this skill:
- Clarify runtime dependencies: SKILL.md expects the Foundry toolchain (forge) and repository access, but the skill metadata lists no required binaries. Ensure Foundry is installed where the agent would run these steps.
- Repository and CI access: the workflow operates on repo files and instructs adding a GitHub Actions workflow. If you allow an agent to run these steps, ensure it has only the minimum repo/CI permissions and that no sensitive secrets are exposed to test runs.
- Review PoC code manually before executing: Forge tests often execute arbitrary smart-contract code from the repository; run tests in isolated environments and review PoC code to avoid running untrusted payloads or leaking keys.
- If you need this skill to run fully automatically, request the publisher to update metadata to declare required binaries (forge/foundry) and any needed permissions; lacking that, treat the skill as an instruction-only checklist for human use.
Confidence would increase to high if the publisher updated the metadata to list required binaries/permissions or provided an installer, or if they confirmed this is intentionally a documentation-only skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9787q3bkm9bc7hh2sdkpjm76s843agr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.