ClawHub

reviewer-rebuttal-coach

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a narrow clipboard-reading assistant for review feedback; its clipboard access and fixed local command are disclosed and purpose-aligned, but users should ensure the clipboard contains only the intended text.

Install/use this only if you are comfortable letting the agent read your current clipboard. Before invoking it, copy the specific review comments or feedback you want processed, and do not leave passwords, tokens, or unrelated confidential text on the clipboard.

Static analysis

Dangerous exec

Critical
Finding
Shell command execution detected (child_process).

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

The skill executes a local command when invoked, but the observed command only reads clipboard text.

Why it was flagged

The script uses shell command execution, but the command is fixed and limited to reading the clipboard, matching the documented purpose.

Skill content
return execSync("pbpaste", { encoding: "utf8" }).trim();
Recommendation

Use it when you intentionally want the agent to read the clipboard; keep node and pbpaste from trusted system locations.

#ASI06: Memory and Context Poisoning
Low
What this means

If the clipboard contains passwords, unrelated private notes, or confidential material beyond the intended review feedback, that text may be exposed to the agent context.

Why it was flagged

The clipboard text is emitted for the agent to process. This is intended behavior, but clipboard contents can contain confidential or unintended text.

Skill content
console.log("===CLIPBOARD_TEXT_BEGIN===");
console.log(text);
console.log("===CLIPBOARD_TEXT_END===");
Recommendation

Before invoking, copy only the review feedback you want analyzed and avoid using the skill while secrets or unrelated private content are on the clipboard.