ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tokio Async Code Review

v1.0.0

Reviews tokio async runtime usage for task management, sync primitives, channel patterns, and runtime configuration. Use when reviewing Rust code that uses t...

0· 109·1 current·1 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions all align: the skill is an instruction-only Rust/Tokio async code reviewer and requires no extra binaries, env vars, or installs.
!
Instruction Scope
Instructions explicitly require reading project files (Cargo.toml and source) and searching for patterns (blocking calls, mutex usage, channels) — that is expected for a code-reviewer. However the SKILL.md also says: "Load and follow beagle-rust:review-verification-protocol before reporting any issue." This implicitly requires invoking or depending on an external protocol/skill that is not declared or explained, which could change data flow or introduce additional actions not visible in this skill. The guidance to "report" findings does not specify destination or whether findings may be transmitted externally.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes on-disk risk; nothing is downloaded or executed by the skill itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. The requested operations (reading project files) are proportional to the stated purpose.
Persistence & Privilege
always: false and default autonomous invocation are set. The skill does not request persistent system presence or elevated privileges. The only persistence-related concern is the implicit call to an external verification protocol (beagle-rust) which could cause the agent to interact with other skills or services.
What to consider before installing
This skill appears to be a straightforward, instruction-only Tokio async code reviewer and does not request credentials or install anything — that is good. Two things to check before installing or enabling it: (1) SKILL.md tells the agent to "Load and follow beagle-rust:review-verification-protocol" before submitting issues. Ask what that protocol/skill is, where it lives, and whether it will cause reports or source code to be sent to an external service or another skill you don't control. (2) The skill will read your repository files (Cargo.toml and source) — ensure you don't run it on sensitive code or secrets without understanding where outputs (reports) are stored or transmitted. If you need higher assurance, request the author to remove or explain the external protocol dependency, or run the skill in a sandboxed environment on non-sensitive repos first. Finally, confirm the owner/registry identity (owner ID looks opaque) before granting the skill broad access in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk974s6c3sp7643exek6txa3r1d83q774

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments