Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Code Review Engine
v1.0.0Enterprise-grade code review agent. Reviews PRs, diffs, or code files for security vulnerabilities, performance issues, error handling gaps, architecture smells, and test coverage. Works with any language, any repo, no dependencies required.
⭐ 0· 722·1 current·1 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims enterprise-grade reviews across PRs, local diffs, and GitHub integration, and advertises features like 'heartbeat/cron ready' and 'works with gh CLI'. However the registry metadata declares no required binaries, no environment variables, no install spec, and no code — so GitHub/cron integration would require external credentials/tools that the skill does not request or document. This is potentially misleading (could be an instruction-only skill that expects the user to supply PR text), but the README implies tighter integration than the manifest supports.
Instruction Scope
SKILL.md contains detailed, bounded instructions for analyzing code and a clearly defined SPEAR review framework. It instructs the agent to review pasted code, diffs, or provided PR content, and to look for malicious behavior and exfiltration in reviewed sources. It does not instruct the agent to read system files, environment variables, or any unrelated data sources. The only scope ambiguity is how the agent should fetch remote PRs (no credential or fetch procedure specified).
Install Mechanism
This is an instruction-only skill with no install spec or code files — lowest-risk install profile. Nothing will be written to disk or downloaded by the skill itself according to the manifest.
Credentials
The skill requests no environment variables or credentials, which is consistent with an instruction-only reviewer that operates on user-supplied text. However the README/SKILL.md mention GitHub/gh CLI integration and automated cron/heartbeat reviews without declaring any required tokens or tools. That omission is a mismatch: real GitHub integration normally requires a GH token and/or gh CLI binary.
Persistence & Privilege
always:false and no install means the skill does not request permanent presence or elevated platform privileges. It is user-invocable and can be invoked autonomously by agents (platform default) but nothing in the manifest gives it special permanent privileges or cross-skill modifications.
What to consider before installing
This skill appears to be a self-contained instruction set for reviewing code you supply (pasted code, diffs, or PR text). Before installing or enabling it: 1) Verify the origin — there is no homepage or source repository and the owner ID looks non-descriptive. 2) Do not provide repository credentials, API tokens, or secrets to the skill unless the skill explicitly requests them and you trust the author; the manifest does not declare any GH token or binaries even though the README mentions GitHub integration. 3) Prefer using it on pasted code or local diffs first; avoid granting automated/cron access to production repos until you confirm how the skill fetches PRs and where credentials would be stored. 4) If you need GitHub integration, request clear documentation from the publisher describing required binaries, env vars (e.g., GH_TOKEN), and how tokens are handled/stored. 5) Because source/homepage are missing, treat outputs as advisory — validate any high-severity findings manually or with additional tools before acting. If the publisher can provide a source repo or clarify how remote PR access is authorized, re-evaluate once that information is available.Like a lobster shell, security has layers — review code before you run it.
code-reviewvk97dy23fpt0a9kmea56s90g4hh8126etdevtoolsvk97dy23fpt0a9kmea56s90g4hh8126etgithubvk97dy23fpt0a9kmea56s90g4hh8126etlatestvk97dy23fpt0a9kmea56s90g4hh8126etpr-reviewvk97dy23fpt0a9kmea56s90g4hh8126etsecurityvk97dy23fpt0a9kmea56s90g4hh8126et
License
MIT-0
Free to use, modify, and redistribute. No attribution required.