RTFM Testing
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only documentation testing skill is coherent, but users should know it works by spawning another agent and giving it the supplied docs to follow.
This skill appears benign and purpose-aligned. Before using it, make sure the docs and tasks you provide are safe for a spawned tester agent to read and possibly act on, especially if they contain commands, deployment steps, internal procedures, or sensitive information.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the provided docs include commands or actions that change files, services, or accounts, the spawned tester could attempt those steps as part of the test.
The skill explicitly instructs use of a tool that creates another agent to attempt the documentation task. This is core to the skill, but users should understand that the spawned tester may follow documented task steps.
Spawn a fresh tester — Use the TESTER.md prompt with `sessions_spawn`
Use this skill in a safe test environment and require human review before testing documentation that includes destructive, public, or account-mutating actions.
Any private documentation, internal procedures, or secrets included in the pasted docs would be shared with the spawned tester session.
The workflow passes the user's documentation into a spawned agent session. This is disclosed and purpose-aligned, but it is still an inter-agent data flow.
task: "Complete the following task using ONLY the provided documentation. [TASK DESCRIPTION]\n\n---\n\n[PASTE DOCS HERE]"
Only paste documentation that is appropriate to share with the spawned agent, and remove credentials, tokens, or other sensitive material before testing.