ClawHub

Auto Test

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This looks like a normal unit-test generation skill, but users should review any local scripts and test-running commands before using it.

This skill appears purpose-aligned for generating unit tests. Before using it, verify any referenced local script, run a dry run first, limit it to the intended project directory, and review generated tests before running coverage or committing changes.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

Generated tests may be created or changed inside the project, which could affect commits, builds, or review results.

Why it was flagged

The skill is designed to read a project directory and write generated test files. This is expected for test generation, but it gives the agent file-level influence over the user's codebase.

Skill content
`--path` | 项目路径 | `.` ... `--output` | 输出文件/目录 | `./tests/`
Recommendation

Use `--dry-run` first, scope `--path` to the intended project, and review generated files before committing or running them.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

If a user runs an untrusted or unexpected local script at that path, behavior could differ from the documented skill.

Why it was flagged

The documented workflow references a local helper script, while the supplied package is instruction-only with no code files. This is not suspicious by itself, but the actual script provenance should be checked before execution.

Skill content
python3 scripts/generate-tests.py --path /path/to/project --framework pytest
Recommendation

Confirm where `scripts/generate-tests.py` comes from and inspect it before running the command.

#
ASI05: Unexpected Code Execution
Low
What this means

Running tests may trigger side effects from the project under test, such as file writes, network calls, or use of local configuration if the project tests do those things.

Why it was flagged

Coverage generation involves running tests, which can execute project code. This is central to the stated purpose, but it is still a behavior users should notice.

Skill content
覆盖率计算 - 运行测试,生成覆盖率报告
Recommendation

Run coverage in a controlled development environment and inspect the generated tests before executing them.