fullstack-dev-engineer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only full-stack development guide with no hidden code or credential requirements, though its deployment examples should be reviewed before use.
This skill appears safe to install as a documentation/code-generation helper. Before using its generated Docker, Kubernetes, or CI/CD configurations, replace placeholder secrets, confirm deployment targets, and require review for any production changes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user applies the generated deployment commands without review, they could unintentionally change a production Kubernetes workload.
The DevOps guide includes a Kubernetes production deployment command as a template. This is purpose-aligned deployment guidance, not automatic execution by the skill, but it can modify real infrastructure if copied and run.
kubectl set image deployment/myapp ... --namespace=production
Review generated deployment commands, test in staging first, verify the namespace/context/image, and add manual approval gates for production.
Overbroad or leaked CI/CD secrets could allow image publishing or cluster deployment outside the intended scope.
The CI/CD examples rely on Docker registry and Kubernetes credentials. This is expected for deployment guidance and there is no evidence the skill reads or logs credentials, but these secrets grant high-impact access when configured by the user.
password: ${{ secrets.DOCKER_PASSWORD }} ... kubeconfig: ${{ secrets.KUBE_CONFIG }}Use least-privilege deployment tokens, protected CI/CD secrets, environment approvals, and avoid pasting real credentials into prompts.