VS Code Node

Operate on code through a VS Code/Cursor IDE connected as an OpenClaw Node. Provides 40+ commands for file operations, language intelligence, git, testing, d...

This skill appears to do what it says, but before installing: (1) verify and review the referenced VS Code extension and GitHub repo (the SKILL.md links to github.com/xiaoyaner-home/openclaw-vscode) to ensure you trust the extension code; (2) keep the IDE terminal disabled unless you explicitly need it and strictly whitelist only the node commands required; (3) confirm the Gateway's allowCommands whitelist and per-device approvals so the node cannot be invoked unexpectedly; (4) be cautious when using the 'vscode.agent.run' delegation — it can make broad edits or run tests in your workspace, so avoid running it on sensitive repositories without review; (5) if possible, test in a disposable workspace or VM first; and (6) clarify the small metadata mismatch about the 'nodes' tool requirement with the skill author or registry before production use.

Type: OpenClaw Skill Name: vscode-node Version: 1.0.2 This skill is classified as suspicious due to its inherent high-risk capabilities, despite documented security controls. The `SKILL.md` file describes commands like `vscode.terminal.run` (allowing arbitrary command execution), `vscode.file.write`, and `vscode.file.delete` (allowing file system manipulation). While the documentation explicitly states that `vscode.terminal.run` is 'disabled by default, whitelist-only when enabled' and that 'All paths are relative to workspace root — absolute paths and `../` blocked', these capabilities, if misconfigured or if the whitelisting is too permissive, could lead to remote code execution or data loss. There is no evidence of malicious intent or prompt injection attempts within the `SKILL.md` itself, but the power of the exposed commands warrants a 'suspicious' classification.