← Back to Skills Marketplace
798
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install validator-agent
Description
Validates project pre-deployment by running comprehensive security, testing, quality, documentation, CI/CD, privacy, maintainability, usability, marketabilit...
Usage Guidance
This skill appears to do the validation tasks it describes, but it will execute project-provided scripts (npm test, npm run lint, forge commands, etc.) which can run arbitrary code from the repository. Before installing or running it: 1) only run the skill on projects you trust or inside an isolated environment (container, VM, CI runner with restricted permissions); 2) ensure the agent environment has the expected tools (node/npm/npx, forge, slither, type-coverage) or the skill may fail; 3) be aware it writes reports to ops/reports/, despite claiming to be 'read-only'; 4) prefer running this on CI or sandboxed machines rather than on a developer workstation with access to secrets; 5) note the package metadata and registry metadata mismatch and the skill has no published source/homepage — consider asking the publisher for provenance before use.
Capability Analysis
Type: OpenClaw Skill
Name: validator-agent
Version: 1.1.0
The skill is highly suspicious due to critical shell injection vulnerabilities. The `<project>` placeholder, which is user-controlled input, is directly concatenated into multiple `cd <project> && ...` shell commands within SKILL.md (e.g., Round 0, Round 1, Round 2, Round 3, Round 4). This allows an attacker to inject arbitrary shell commands, leading to Remote Code Execution (RCE). Additionally, the report saving path `ops/reports/validator-YYYY-MM-DD-HH-[project].md` uses the unsanitized `<project>` input, creating a path traversal vulnerability that could allow writing the report to arbitrary file system locations.
Capability Assessment
Purpose & Capability
The SKILL.md behavior (TypeScript and Solidity validation: tsc/forge, npm audit, tests, lint, type-coverage, docs/changelog checks) aligns with the skill name and description. However the skill does not declare the many runtime tools it actually expects (node/npm/npx, forge, slither, type-coverage, tail) — the packaged metadata lists only a generic 'exec' requirement. This mismatch means the agent environment may lack required binaries or the operator may be surprised by tools the skill will invoke.
Instruction Scope
The instructions tell the agent to cd into project folders and run project-provided commands (npm test, npm run lint, npx tsc, forge build/test, npm audit, npx type-coverage). Running those commands executes code and scripts from the target repository (package.json scripts, test/setup code, etc.), which can run arbitrary commands with the agent's privileges. The skill also reads workspace-level files (ops/test-baselines.md, package.json, README.md, CHANGELOG.md) and writes reports to ops/reports/..., so although the SKILL.md claims 'read-only', it writes output into the workspace. There are no instructions to limit or sandbox script execution.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes install-time risk. There is no URL download or package install performed by the skill bundle itself.
Credentials
The skill declares no required environment variables or credentials, which is consistent with its stated checks. However it implicitly requires various binaries and tools (node/npm/npx, forge, slither, type-coverage, tail) that are not declared as required. That omission reduces transparency about the privileges and capabilities the skill will use at runtime.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation settings. It does not request persistent system configuration changes in its files. The only notable behavior is saving reports into ops/reports/, which is normal for a reporting tool but contradicts the SKILL.md's 'read-only' claim about not modifying code.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install validator-agent - After installation, invoke the skill by name or use
/validator-agent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Validator Agent 1.1.0 — concise pipeline, 8-entry checklist, and TypeScript/Solidity focus
- Overhauled documentation: now describes a focused 8-round validation pipeline (compile, lint, test, security, type coverage, docs, changelog, final summary)
- Skill narrowed to TypeScript/Solidity; project detection clarified via `package.json` and `foundry.toml`
- Removed extensive/complex checklist and broad language support; simplified for clarity and reliability
- Dropped README.md in favor of documentation in SKILL.md
- Improved output and review flow: produces a `validator-YYYY-MM-DD-HH-[project].md` report with clear pass/block decision
- Makes clear this skill never auto-publishes, only reports and recommends
v1.0.0
Initial release: 10-section pre-deployment quality gate for OpenClaw skills
Metadata
Frequently Asked Questions
What is Validator Agent?
Validates project pre-deployment by running comprehensive security, testing, quality, documentation, CI/CD, privacy, maintainability, usability, marketabilit... It is an AI Agent Skill for Claude Code / OpenClaw, with 798 downloads so far.
How do I install Validator Agent?
Run "/install validator-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Validator Agent free?
Yes, Validator Agent is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Validator Agent support?
Validator Agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Validator Agent?
It is built and maintained by up2itnow (@up2itnow); the current version is v1.1.0.
More Skills