Testing & Security
QA, penetration testing, and code quality.
edgeone-clawscan
The first security skill to install after setting up OpenClaw — powered by Tencent Zhuque Lab. Works like an antivirus for your AI environment: audits installed skills, scans skills before installation, and performs a full OpenClaw security health check to prevent data leaks and privacy risks. Backed by Tencent Zhuque Lab A.I.G (AI-Infra-Guard). Use when the user asks to start a security health check or security scan for the current OpenClaw environment, such as `开始安全体检`, `做一次安全体检`, `开始安全扫描`, `全面安全检查`, or `检查 OpenClaw 安全`; also use when the user asks to audit a specific skill before installation, review installed skills for supply chain risk, or investigate whether a skill is safe. Do not trigger for general OpenClaw usage, project debugging, environment setup, or normal development requests. Optional cloud mode: set AIG_CLOUD_LOOKUP=off for zero outbound HTTPS; when enabled, only skill_name, source label, and OpenClaw version are sent to A.I.G (never skill bodies, chats, or workspace files).
edgeone-skill-scanner
Scan any agent skill for security risks before you install or use it. Powered by Tencent Zhuque Lab A.I.G (AI-Infra-Guard). 100% local static analysis — no file contents or credentials leave your device. Compatible with CodeBuddy, Cursor, Windsurf, Claude Code, OpenClaw and more. Triggers on: `这个 skill 安全吗`, `skill 安全扫描`, `检查 skill 安全`, `audit skill`, `scan skill`, `check skill safety`, `analyze skill`, `inspect skill`, `verify skill`, `skill security`, `skill supply chain`. Do NOT trigger for general agent usage, full system health checks, project debugging, or normal development.
code-execution
Use when a subtask is ready to implement and has a subtask JSON file with acceptance criteria and deliverables.
code-review
Use when code has been written and needs validation before committing, or when the user asks for a code review or security check.
verification-before-completion
Use when about to claim work is complete, fixed, or passing, before committing or creating PRs — requires running verification commands and confirming output before making any success claims; evidence before assertions always
test-generation
Use when the user asks for tests, mentions TDD, or when new code has been written and needs test coverage.
summarize-run
Extract a W&B run summary into a structured experiment report
react-native-testing
Write tests using React Native Testing Library (RNTL) v13 and v14 (`@testing-library/react-native`). Use when writing, reviewing, or fixing React Native component tests. Covers: render, screen, queries (getBy/getAllBy/queryBy/findBy), Jest matchers, userEvent, fireEvent, waitFor, and async patterns. Supports v13 (React 18, sync render) and v14 (React 19+, async render). Triggers on: test files for React Native components, RNTL imports, mentions of "testing library", "write tests", "component tests", or "RNTL".
avoid-hallucinating-specifics
Common mistake — stating specific facts (API endpoints, library versions, config options, function signatures) with false confidence when uncertain. Always flag uncertainty rather than guessing specifics.
test-before-ship
Use this skill when implementing a new feature or fixing a bug. Write or update tests before marking the task done. Never consider code complete without verifying it works through automated tests.
auth-and-authorization-patterns
Use this skill when implementing authentication (login, token issuance) or authorization (access control, permissions). Apply whenever the task involves login flows, JWT, OAuth2, session management, or RBAC.
input-validation-and-sanitization
Use this skill when implementing any endpoint, form handler, CLI tool, or function that accepts external input. Validate and sanitize all untrusted data before processing — never assume input is safe.
secrets-management
Use this skill when handling API keys, passwords, tokens, private keys, or any sensitive credential. Never hardcode secrets in source code — apply this whenever the word "key", "token", "password", or "secret" appears in the task.
secure-code-review
Use this skill when reviewing or writing code that handles user input, authentication, file I/O, network requests, or database queries. Always check for common security vulnerabilities before considering the code complete.
epic-hypothesis
Frame an epic as a testable hypothesis with target user, expected outcome, and validation method. Use when defining a major initiative before roadmap, discovery, or delivery planning.
high-level-code-review
reviewing a change for semantic correctness, simplicity, design consistency, and completeness
validating-a-change
comprehensive validation of a change to ensure it is correct and ready for a pull request
adding-tests
analyzing a change to determine what tests are needed and adding them to the test suite
running-tests
running tests at various levels from smoke tests to full suite to randomized tests
subsystem-summary-of-test
read this skill for a token-efficient summary of the test subsystem
run-test
Use when user asks to run tests, run qunit, execute unit tests, test this module, test this change, find test URL, test Button/Router/Table/Dialog/MessageBox/Input/Control, locate .qunit.html, search testsuite, can't find test file, where is qunit test, how to run UI5 module test, or needs test-resources URL for OpenUI5 modules
