vet
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent code-review helper, but it should be reviewed because it tells the agent to run an external vet CLI proactively using git diffs and local conversation histories that may be sent to LLM APIs.
Before installing, decide whether you are comfortable with automatic vet runs after code changes and with your code diffs and current agent conversation being processed by the vet CLI and its configured model provider. Prefer an isolated, pinned install; verify the verify-everything package source; avoid using conversation history on sensitive tasks; and require confirmation before running vet if the repository or session may contain secrets.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may frequently run a third-party analyzer over current work without asking at each review point.
This directs the agent to autonomously and repeatedly invoke the vet CLI after code edits, rather than waiting for explicit user approval each time.
Run vet immediately after ANY logical unit of code changes. Do not batch your changes, do not wait to be asked to run vet, make sure you are proactive.
Install only if you want automatic vet runs; otherwise require confirmation before invoking vet, especially when the repository or conversation contains sensitive information.
Private code, prompts, tool outputs, and possibly unrelated changes in the same repo may be exposed to the vet tool and its configured model/API provider.
The skill explicitly combines code diffs and conversation history as analysis input, and indicates that the default path calls an API directly unless agentic mode is used. The artifacts do not specify redaction or retention controls.
Vet reviews git diffs and conversation history... Vet analyzes the full git diff from the base commit... `--agentic`: Mode that routes analysis through the locally installed Claude Code or Codex CLI instead of calling the API directly. Try this if vet fails due to missing API keys.
Use vet without conversation history for sensitive work, review what session file is selected, avoid including secrets in sessions, and confirm the provider/data-retention policy before using API-backed analysis.
Vet may consume API credentials configured on the machine and spend provider quota or access provider accounts, but the artifacts do not show credential theft or hardcoded secrets.
The documentation implies the vet CLI may use existing API credentials, although no credential is declared in the registry metadata.
Try this if vet fails due to missing API keys.
Use scoped API keys, monitor provider usage, and document which credentials vet is expected to use.
Installing or updating the package runs code from the package source, so package compromise or version drift could affect the environment.
The skill relies on an external, unpinned package install for its main CLI. This is purpose-aligned, but the installed package code is not included in the supplied artifacts.
pip install verify-everything ... pipx install verify-everything ... uv tool install verify-everything
Install from a trusted source, prefer an isolated environment such as pipx or uv, pin a reviewed version, and verify the package repository before enabling automatic use.
Running the history loader executes a local command and depends on the installed opencode binary behaving as expected.
The OpenCode history exporter invokes the local opencode CLI. It uses an argument list rather than shell interpolation and is aligned with exporting session history.
subprocess.run(["opencode", "export", args.session_id], stdout=f, stderr=subprocess.PIPE)
Keep the opencode CLI trusted and up to date, and ensure the session ID being exported is the intended current session.