← Back to Skills Marketplace
alirezarezvani

Tech Debt Tracker

by Alireza Rezvani · GitHub ↗ · v2.1.1 · MIT-0
cross-platform ⚠ suspicious
702
Downloads
0
Stars
3
Active Installs
2
Versions
Install in OpenClaw
/install tech-debt-tracker
Description
Scan codebases for technical debt, score severity, track trends, and generate prioritized remediation plans. Use when users mention tech debt, code quality,...
Usage Guidance
This skill seems to implement a legitimate tech-debt scanning + prioritization workflow, but exercise caution before running it against real repositories or adding it to CI: - Review the scanner/prioritizer/dashboard scripts (scripts/debt_scanner.py, scripts/debt_prioritizer.py, scripts/debt_dashboard.py) before running. Search them for any code that sends data to external hosts (HTTP POST/PUT to remote endpoints, or explicit uploads). If you can't review the full source, don't run it on sensitive projects. - The package contains sample application code with hard-coded secrets (Stripe/PayPal/Square keys, a DATABASE_URL, API_KEY values). Treat these as samples only — do not assume they are safe or valid credentials. If you plan to publish or share results, remove or redact sample secrets first. - Run the tools in an isolated environment (sandbox or VM) and on a non-sensitive copy of your repository first. Verify outputs locally before enabling any integrations that post reports to Jira/Slack/GitHub or other external services. - If you will integrate into CI, require explicit configuration of connectors and inspect any code that performs automatic uploads. Only provide external-service credentials to the integrations you explicitly configure, and prefer ephemeral/scoped tokens. What would change this assessment: viewing the full content of the scripts to confirm there are no hidden exfiltration paths (e.g., hardcoded webhook URLs, telemetry uploads, or automatic remote POSTs), and confirmation from the author that included secrets are purely illustrative and that connectors are opt-in and authenticated only by user-provided credentials.
Capability Analysis
Type: OpenClaw Skill Name: tech-debt-tracker Version: 2.1.1 The tech-debt-tracker bundle is a legitimate toolset designed to identify and manage technical debt. While the included sample codebase (e.g., `payment_processor.py`, `user_service.py`, and `frontend.js`) contains numerous critical vulnerabilities such as hardcoded API keys, database credentials, and SQL injection risks, these are explicitly labeled as intentional examples of 'debt' for the scanner to detect. The core logic in `debt_scanner.py`, `debt_prioritizer.py`, and `debt_dashboard.py` focuses on static analysis, scoring, and reporting without any evidence of malicious intent, data exfiltration, or unauthorized command execution.
Capability Assessment
Purpose & Capability
The name/description describe a code-scanning + prioritization + dashboard tool, and the repository contains scanner, prioritizer, and dashboard scripts that align with that purpose. However, the assets include sample application code (payment_processor.py, user_service.py, frontend.js) containing hard-coded API keys, database URLs, and calls to external payment APIs. Those sample files may be intended as inputs for the scanner, but they are not required by the scanner itself and introduce unexpected sensitive-looking data into the package.
Instruction Scope
SKILL.md and README instruct the agent/operator to run local Python scripts (e.g., python scripts/debt_scanner.py /path/to/codebase) and to integrate scanning into CI. The instructions do not explicitly tell the agent to read system-wide config, arbitrary host files, or to POST results to unexpected remote endpoints. That said, the README references optional integrations (Jira/GitHub/Chat systems) and an example automated-reporting bash snippet — those integrations would require external configuration and could send scan outputs off-host if enabled.
Install Mechanism
There is no install specification (instruction-only skill). No packages are pulled or arbitrary URLs downloaded by the skill manifest itself, minimizing installer risk. The risk surface comes from running the included scripts locally.
Credentials
The skill declares no required environment variables or credentials, but multiple included sample/source files contain hard-coded secrets and connection strings: e.g., stripe_key/paypal_key/square_key in assets/sample_codebase/src/payment_processor.py, API_KEY and DATABASE_URL in assets/sample_codebase/src/user_service.py, and API_KEY in frontend.js. Those secrets are not justified by the skill manifest (the scanner should not need them) and could be confusing or accidentally used. Presence of calls to external endpoints (api.stripe.com, api.paypal.com, connect.squareup.com, API_BASE_URL in frontend.js) in sample code is expected for a payment example but means the repository contains code that, if executed, would make network calls using embedded credentials.
Persistence & Privilege
The skill does not request permanent presence (always: false) and is user-invocable. It does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed (disable-model-invocation: false) which is platform default; this combination is not, by itself, an additional red flag given other issues.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install tech-debt-tracker
  3. After installation, invoke the skill by name or use /tech-debt-tracker
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.1
v2.1.1: optimization, reference splits
v1.0.0
Initial release
Metadata
Slug tech-debt-tracker
Version 2.1.1
License MIT-0
All-time Installs 3
Active Installs 3
Total Versions 2
Frequently Asked Questions

What is Tech Debt Tracker?

Scan codebases for technical debt, score severity, track trends, and generate prioritized remediation plans. Use when users mention tech debt, code quality,... It is an AI Agent Skill for Claude Code / OpenClaw, with 702 downloads so far.

How do I install Tech Debt Tracker?

Run "/install tech-debt-tracker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Tech Debt Tracker free?

Yes, Tech Debt Tracker is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Tech Debt Tracker support?

Tech Debt Tracker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Tech Debt Tracker?

It is built and maintained by Alireza Rezvani (@alirezarezvani); the current version is v2.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments