OpenClaw TDD Assistant

Test-Driven Development assistant. Generates test cases from code or specifications, runs tests, tracks coverage, and guides the red-green-refactor cycle. Su...

This skill is largely coherent with a local TDD assistant, but take these precautions before installing or running it: 1) Run the scripts in an isolated environment (temporary VM, container, or a sandboxed workspace) because executing tests will import and run your project code and could execute arbitrary code. 2) Be aware the tool writes coverage and pytest JSON to /tmp — in multi-user or CI runners this can cause conflicts or expose data; consider editing the scripts to use per-run temp files or a local directory. 3) The documentation claims JavaScript/Go support but the provided code implements Python (and only conditional C support) — don't expect Jest/go test functionality from this package as-is. 4) The generated tests import modules with 'from <module> import *' which can trigger module-level side effects; review generated tests before running. 5) Ensure required tools (pytest, coverage, optional C support libraries) are installed in your environment. If you need higher assurance, review the scripts locally or run them on a disposable container/CI runner first.

Type: OpenClaw Skill Name: oc-tdd Version: 1.1.0 The bundle provides TDD utilities for test generation and execution, but contains several high-risk patterns and vulnerabilities. Specifically, scripts/coverage.py and scripts/runner.py use hardcoded, predictable temporary file paths in /tmp (e.g., /tmp/coverage.json and /tmp/pytest_report.json), which are vulnerable to symlink attacks on multi-user systems. Additionally, the tool executes subprocesses using user-provided targets and dynamically modifies the Python path to load external 'c-support' libraries, which increases the attack surface for local privilege escalation or code injection.