ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tech Debt Tracker

v2.1.1

Scan codebases for technical debt, score severity, track trends, and generate prioritized remediation plans. Use when users mention tech debt, code quality,...

0· 630·3 current·3 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe a code-scanning + prioritization + dashboard tool, and the repository contains scanner, prioritizer, and dashboard scripts that align with that purpose. However, the assets include sample application code (payment_processor.py, user_service.py, frontend.js) containing hard-coded API keys, database URLs, and calls to external payment APIs. Those sample files may be intended as inputs for the scanner, but they are not required by the scanner itself and introduce unexpected sensitive-looking data into the package.
Instruction Scope
SKILL.md and README instruct the agent/operator to run local Python scripts (e.g., python scripts/debt_scanner.py /path/to/codebase) and to integrate scanning into CI. The instructions do not explicitly tell the agent to read system-wide config, arbitrary host files, or to POST results to unexpected remote endpoints. That said, the README references optional integrations (Jira/GitHub/Chat systems) and an example automated-reporting bash snippet — those integrations would require external configuration and could send scan outputs off-host if enabled.
Install Mechanism
There is no install specification (instruction-only skill). No packages are pulled or arbitrary URLs downloaded by the skill manifest itself, minimizing installer risk. The risk surface comes from running the included scripts locally.
!
Credentials
The skill declares no required environment variables or credentials, but multiple included sample/source files contain hard-coded secrets and connection strings: e.g., stripe_key/paypal_key/square_key in assets/sample_codebase/src/payment_processor.py, API_KEY and DATABASE_URL in assets/sample_codebase/src/user_service.py, and API_KEY in frontend.js. Those secrets are not justified by the skill manifest (the scanner should not need them) and could be confusing or accidentally used. Presence of calls to external endpoints (api.stripe.com, api.paypal.com, connect.squareup.com, API_BASE_URL in frontend.js) in sample code is expected for a payment example but means the repository contains code that, if executed, would make network calls using embedded credentials.
Persistence & Privilege
The skill does not request permanent presence (always: false) and is user-invocable. It does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed (disable-model-invocation: false) which is platform default; this combination is not, by itself, an additional red flag given other issues.
What to consider before installing
This skill seems to implement a legitimate tech-debt scanning + prioritization workflow, but exercise caution before running it against real repositories or adding it to CI: - Review the scanner/prioritizer/dashboard scripts (scripts/debt_scanner.py, scripts/debt_prioritizer.py, scripts/debt_dashboard.py) before running. Search them for any code that sends data to external hosts (HTTP POST/PUT to remote endpoints, or explicit uploads). If you can't review the full source, don't run it on sensitive projects. - The package contains sample application code with hard-coded secrets (Stripe/PayPal/Square keys, a DATABASE_URL, API_KEY values). Treat these as samples only — do not assume they are safe or valid credentials. If you plan to publish or share results, remove or redact sample secrets first. - Run the tools in an isolated environment (sandbox or VM) and on a non-sensitive copy of your repository first. Verify outputs locally before enabling any integrations that post reports to Jira/Slack/GitHub or other external services. - If you will integrate into CI, require explicit configuration of connectors and inspect any code that performs automatic uploads. Only provide external-service credentials to the integrations you explicitly configure, and prefer ephemeral/scoped tokens. What would change this assessment: viewing the full content of the scripts to confirm there are no hidden exfiltration paths (e.g., hardcoded webhook URLs, telemetry uploads, or automatic remote POSTs), and confirmation from the author that included secrets are purely illustrative and that connectors are opt-in and authenticated only by user-provided credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d93jaxj270z5yv5wtmnj96982nxb7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments