ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Review Tui

v1.0.0

Comprehensive BubbleTea TUI code review for terminal applications

0· 59·1 current·1 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (BubbleTea TUI code review) match the actions in SKILL.md: running git diffs, grepping Go files for BubbleTea/lipgloss/bubbles/wish patterns, and loading Go/BubbleTea-specific review skills. No unrelated binaries, env vars, or install steps are requested.
Instruction Scope
Instructions explicitly tell the agent to run git and grep against the repository and to re-read actual code beyond diff context — this is expected for a code-review skill but means the skill will read all files it deems relevant in the repo. The SKILL.md also requires loading other skills and spawning subagents; this expands the attack surface because those other skills' behavior and requirements will apply. The review enforcements (e.g., 'MUST report ALL issues in a single review pass') are prescriptive but are a review policy decision rather than a security concern.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is written to disk by an installer; lowest install risk.
Credentials
Skill declares no required environment variables, credentials, or config paths. SKILL.md does not request any secrets. This is proportionate to a static code-review tool.
!
Persistence & Privilege
Metadata sets disable-model-invocation: true, but SKILL.md expects the agent to load other skills and spawn subagents (which normally requires model invocation/orchestration). This is an internal inconsistency: either the skill cannot perform the subagent/model-driven steps the instructions presume, or the metadata is incorrect. The skill is not always-enabled, and it does not request elevated system-wide privileges.
What to consider before installing
This skill appears to be a focused BubbleTea TUI code-review checklist and does not request credentials or installs, but review these before installing: - Confirm platform semantics for disable-model-invocation: true. The SKILL.md expects loading sub-skills and spawning subagents; if disabled, the skill's runtime behavior may be broken or the metadata may be wrong. Ask the publisher which is intended. - Understand that the skill runs repository-level commands (git diff, grep) and will read source files in the repo. Run it only on repositories you trust or in an environment where code access is safe. - The SKILL.md instructs the agent to load other skills (beagle-go:*). Those other skills may bring their own requirements and privileges — verify those skills' metadata and trustworthiness before allowing them to be loaded. - Because this is instruction-only, there is no installer but also no static code to audit beyond the SKILL.md. If you need stronger guarantees, request the author provide provenance (homepage, source repo, or signed metadata). If you want to proceed, ask the publisher to clarify the disable-model-invocation flag and to list/confirm the beagle-go skills the review will load.

Like a lobster shell, security has layers — review code before you run it.

latestvk9717x4mhavd16fwv0s6wq5ns184j4ks

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments