Provides a comprehensive AI-assisted development workflow with PLAN/ACT separation, multi-agent collaboration, fault recovery, and security code review best...
Security Analysis
high confidenceThis is an instruction-only best-practices guide for AI-assisted development; its instructions, file targets, and example scripts are consistent with the stated purpose and do not request unrelated credentials or installs.
Name/description (Vibe Coding Best Practices) match the content: workflow guidance, multi-agent orchestration, recovery SOPs, and security checklists. The skill declares no binaries, env vars, or installs—consistent with an instruction-only guideline.
SKILL.md explicitly instructs agents (in PLAN prompts) to read repository context (read_file/search_files), consult LOG.md, status/*.status, worktree dirs, and use git commands and example scripts. Those file and command targets are appropriate for a developer workflow, but they do grant the agent broad access to repository contents (including any secrets accidentally committed).
No install spec or external downloads; instruction-only skill — lowest install risk.
The skill requests no environment variables or credentials. It references services/tools (Claude, Kimi, OpenClaw, Sentry) only as recommendations; no unrelated secrets are demanded.
Skill flags: always:false and agent invocation allowed (normal). The guide suggests creating repo hooks (post-commit auto-push) and example persistent PowerShell timers — these are user-side setup suggestions and could create persistent behavior or automatic network pushes if implemented, so users should review before applying.
Guidance
This skill is a coherent, instruction-only best-practices guide for AI-assisted development and appears to be what it claims. Before using its example scripts or following its automation recipes: 1) review any proposed git commands (git reset --hard, auto-push hooks) on a backup or test repo to avoid accidental data loss or unintended pushes; 2) do not enable auto-push/post-commit hooks unless the remote is trusted; 3) audit any files the agent will be instructed to read (LOG.md, memory/tasks/, status/) to ensure they contain no secrets or sensitive data; 4) follow the guide's own security red lines (manual review for auth/payment/DB schema/migrations); and 5) if you let an agent run these commands autonomously, restrict its permissions and monitor operations. These precautions will keep the guidance useful without exposing your code or secrets.
Latest Release
v1.0.0
Initial release: 10 core principles, PLAN/ACT separation, multi-agent collaboration, disaster recovery, >24h task management, Win11/PowerShell support
More by @russellfei
Published by @russellfei on ClawHub
