Run the pure-LLM variant of the QLCoder workflow for both CVE samples and local Web App repositories. Supports multi-profile taint-flow analysis with source/...
Security Analysis
medium confidenceThe skill appears to implement a QLCoder 'pure-LLM' taint/triage workflow and mostly matches that purpose, but there are inconsistencies (mismatched skill naming and hard-coded developer paths) and the bundled script runs local filesystem scans and subprocesses — review before trusting it on sensitive code.
The SKILL.md and bundled files implement a QLCoder pure-LLM taint-flow analysis (Java/Python web) which matches the described capability, but the registry metadata/name ('SATAgent') does not match the SKILL.md name/slug (qlcoder-pure-llm / coder-pure-llm). This naming mismatch and leftover absolute paths (e.g., /Users/aibot/...) are incongruent and suggest sloppy packaging or repackaging.
Instructions intentionally read repository files, build manifests, and run local analysis; the bundled script performs wide file-system scanning (rglob over repo), pattern matching, writes JSON artifacts, and calls subprocess.run to invoke external commands (e.g., python -m qlcoder.cli). Those actions are consistent with code-analysis purpose, but SKILL.md contains hard-coded absolute developer paths and encourages running the wrapper which will search the entire repo — a significant scope that should be reviewed by the user.
No install spec or remote downloads are present; the skill is instruction-only with a bundled Python script. Nothing external is fetched during install by the skill package itself.
The skill declares no required environment variables or credentials and the code does not require external tokens. It reads local files and may invoke local Python modules; no unnecessary secrets access is requested.
always:false and no special persistence or modifications to other skills are requested. The skill can be invoked by the model (normal default). The primary risk is the skill's ability to read workspace/repo files and run subprocesses when executed.
Guidance
This skill runs local repository-wide scanning and executes subprocesses (it invokes python -m qlcoder.cli and similar). Before installing or running: 1) Confirm the QLCoder project you expect is present (qlcoder/cli.py) and that you trust that code; 2) Inspect scripts/run_pure_llm.py (already bundled) to ensure there are no hidden network calls or unexpected commands beyond the visible filesystem scanning and subprocess usage; 3) Note the SKILL.md contains developer-specific absolute paths (/Users/aibot/...), update those to your environment or run from a copy; 4) Run the skill in an isolated sandbox or on a non-sensitive copy of the repository first; 5) If you need stronger assurance, ask the publisher to fix the naming/packaging inconsistencies and remove hard-coded paths. These discrepancies (name mismatch and hard-coded paths) are the main reasons this analysis is flagged as suspicious rather than benign.
Latest Release
v1.0.0
Version 1.0.0 Summary: Major overhaul from SAT prep assistant to QLCoder Pure LLM taint-flow security analysis workflow. - Replaces all SAT-specific content and files with QLCoder pure-LLM taint-flow analysis for Java/Python Web Apps. - Adds support for CVE sample manifest and local repository security workflows. - Introduces multi-profile source/sink/sanitizer typing and emits triaged findings summaries. - Provides quick start, detailed workflow instructions, references, and output contract for results. - Removes SAT topic files, college planning, and test prep logic in favor of security analysis documentation.
Popular Skills
Published by @setg-git on ClawHub
