← 返回 Skills 市场

Hollow Validation Checker

Name: Hollow Validation Checker
Author: andyxinweiminicloud

作者 andyxinweiminicloud · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

632

总下载

当前安装

版本数

在 OpenClaw 中安装

/install hollow-validation-checker

功能描述

Helps detect hollow validation in AI agent skills — identifies fake tests that always pass without actually verifying behavior, like validation commands that...

使用说明 (SKILL.md)

Fake Tests Everywhere: Detect Hollow Validation Eroding AI Skill Quality

Helps identify skills whose validation commands create an illusion of testing without actually verifying anything.

Problem

Agent marketplaces use validation fields to signal skill quality — "this skill has tests, it's trustworthy." But what if the test is echo 'ok'? Or console.log('passed'); process.exit(0)? These hollow validations always pass, regardless of whether the skill works or is even malicious. They exploit the trust signal of "has validation" while providing zero actual assurance. Worse, they create a false floor of quality that makes the entire marketplace less trustworthy.

What This Checks

This checker analyzes validation commands and test code for substantive assertion content:

Exit code gaming — Validation that always exits 0 regardless of test outcomes, or uses || true to suppress failures
Empty assertions — Test functions that contain no actual assert, expect, assertEqual, or equivalent verification statements
Echo-only validation — Validation commands whose only output is a hardcoded success string (echo ok, print("passed"), console.log("tests passed"))
Tautological tests — Assertions that test always-true conditions: assert True, expect(1).toBe(1), assertEqual("a", "a")
Commented-out real tests — Test files where actual assertions are commented out, leaving only the passing shell

How to Use

Input: Provide one of:

A Capsule/Gene JSON (the validation field will be analyzed)
Raw validation command or test script
A batch of skills to compare validation quality across a set

Output: A validation quality report containing:

Validation command breakdown
Assertion inventory (real vs hollow)
Quality rating: SUBSTANTIVE / WEAK / HOLLOW
Specific findings with evidence

Example

Input: Capsule with validation field

{
  "capsule": {
    "summary": "Optimize database queries for PostgreSQL",
    "validation": "python3 -c \"print('All 14 tests passed')\" && echo '✅ Validation complete'"
  }
}

Check Result:

🎭 HOLLOW — No substantive assertions found

Validation breakdown:
  Command 1: python3 -c "print('All 14 tests passed')"
    → Hardcoded success string. No actual test execution.
    → Claims "14 tests" but runs zero tests.

  Command 2: echo '✅ Validation complete'
    → Static echo, always passes.

Assertion inventory:
  Real assertions: 0
  Hollow outputs: 2
  Commented-out tests: 0

Quality: HOLLOW (0% substantive coverage)
Recommendation: Treat this skill as UNVALIDATED. The validation field
creates a false impression of test coverage. Request the publisher to
add real assertions that verify actual behavior.

Limitations

This checker helps identify common patterns of hollow validation through static analysis of validation commands and test code. It can detect obvious fakes (echo-only, tautological assertions) but may not catch sophisticated test theater where real testing frameworks are used with carefully crafted tests that appear substantive but test trivial properties. Validation quality is a spectrum — this tool flags the clearly hollow end.

安全使用建议

This skill appears internally consistent and low-risk: it only describes static analysis of validation commands and requests no secrets. Before using it, remember: (1) it may analyze and print whatever validation text you give it, so avoid feeding sensitive secrets or private tokens in the validation field; (2) static checks can flag obvious hollow tests but will miss sophisticated 'test theater' — treat its findings as signals, not definitive security guarantees; and (3) because it is instruction-only, review sample inputs/outputs to ensure its heuristics match your expectations.

功能分析

Type: OpenClaw Skill Name: hollow-validation-checker Version: 1.0.0 The skill's stated purpose is to analyze arbitrary validation commands and test scripts provided as input. This inherently involves processing untrusted code, which is a high-risk operation. While the `SKILL.md` itself does not contain malicious instructions or prompt injection, the design of the skill, as described, creates a significant vulnerability surface if its implementation does not rigorously sanitize or sandbox the untrusted input. The declared requirement for `curl` and `python3` in `SKILL.md` further highlights capabilities that, when combined with untrusted input processing, could lead to severe vulnerabilities like RCE if not handled securely.

能力评估

✓ Purpose & Capability

The name and description claim static analysis of validation commands/tests; the only declared runtime dependencies are curl and python3, which are plausible for fetching inputs and running simple parsers. No unrelated credentials, binaries, or config paths are requested.

✓ Instruction Scope

SKILL.md describes static analysis of validation fields, raw commands, or test scripts and explains limitations. It does not instruct the agent to read arbitrary system files, access environment variables, or transmit data to unexpected endpoints. The scope is narrowly focused on parsing and pattern detection of validation content.

✓ Install Mechanism

There is no install spec and no code files — this is instruction-only. Nothing will be written to disk or downloaded by the skill itself, minimizing persistence and supply-chain risk.

✓ Credentials

The skill requests no environment variables or credentials. The two required binaries (curl, python3) are proportionate to a tool that may fetch capsules or run lightweight parsing heuristics.

✓ Persistence & Privilege

always:false and default invocation settings are used. The skill does not request persistent presence or modification of other skills or system configurations.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install hollow-validation-checker
安装完成后，直接呼叫该 Skill 的名称或使用 /hollow-validation-checker 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release – provides detection of hollow validation in AI agent skills: - Analyzes validation commands and test scripts for evidence of real vs fake testing. - Flags empty, tautological, echo-only, and exit-code-gaming validations. - Reports a validation quality rating (SUBSTANTIVE / WEAK / HOLLOW) with supporting evidence. - Designed for use with Capsule/Gene JSON, raw commands, or batches of skills. - Outputs a detailed breakdown of findings and recommendations.

元数据

Slug hollow-validation-checker

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题