ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Macros Code Review

v1.0.0

Reviews Rust macro code for hygiene issues, fragment misuse, compile-time impact, and procedural macro patterns. Use when reviewing macro_rules! definitions,...

0· 47·0 current·0 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included reference documents align with the instructions: this is a Rust macro review checklist. Required binaries, env vars, and install steps are absent and appropriate for an instruction-only reviewer skill.
!
Instruction Scope
Most runtime instructions are scoped to reading the codebase (Cargo.toml, macro definitions) and internal references included with the skill. However, the step "Verify before reporting — Load `beagle-rust:review-verification-protocol` before submitting findings" references loading an external protocol/skill/resource that is neither declared nor explained. That could cause the agent to call another skill, access an external endpoint, or transmit report data. The instructions otherwise do not request unrelated system files or secrets.
Install Mechanism
No install spec and no code files that run automatically — the skill is instruction-only, which is low-risk. The included reference markdown files are local and static.
Credentials
The skill requests no environment variables, credentials, or config paths. Nothing in the checklist appears to require extra secrets or unrelated credentials.
Persistence & Privilege
The skill is not marked always:true and does not request elevated persistence or to modify other skills. Autonomous invocation is allowed by default for skills on the platform; combined with the unexplained external load step this increases blast radius but alone is standard behavior.
What to consider before installing
This skill is largely a benign, self-contained Rust macro review checklist and includes helpful reference material. The main red flag is the single line instructing the agent to "Load beagle-rust:review-verification-protocol" before submitting findings — that external load is not declared in the skill metadata. Before installing or enabling this skill, ask the publisher or inspect your agent configuration to learn what "beagle-rust:review-verification-protocol" is (a local helper skill, an external service, or an RPC endpoint), whether the agent will send your code or findings to a third party, and whether that behavior is acceptable. If you cannot verify that step, consider removing or editing that line so the skill does not trigger undeclared external communications. If you can confirm that the verification protocol is an internal helper with no network exfiltration, the skill appears coherent and appropriate. Additional information that would raise confidence to high: documentation or source for the referenced verification protocol and an explicit statement that no external network transmission of repository contents occurs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9718ss0ze7jr94cg28a30dvq984pazp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments