ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Abstract Plugin Review

v1.8.3

Review plugin quality with tiered checks and dependency-aware scoping. Use for PR validation and pre-release audits

0· 76·1 current·1 all-time
by@athola
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the actual operations: detecting changed plugins, building a check matrix, running validators, tests, linters, typechecks, dependency scans, and invoking evaluation skills. The declared config paths (night-market.*-eval) align with the SKILL.md's use of Skill(abstract:skills-eval / hooks-eval / rules-eval).
Instruction Scope
Instructions stay within the reviewer role (git diffs, reading docs/plugin-dependencies.json, running validators, calling make test/lint/typecheck, invoking other evaluation skills). However, many steps run repository-provided code and scripts (make test, python scripts, update_plugin_registrations.py, generate_dependency_map.py), which may execute arbitrary code or network activity from the reviewed repository — this is expected for a reviewer but elevates operational risk.
Install Mechanism
Instruction-only skill with no install spec and no external downloads. No packages or remote installers are pulled by the skill itself.
Credentials
No environment variables or external credentials are requested. The declared required config paths correspond to internal evaluation configs the skill uses. Nothing asks for unrelated secrets or cloud credentials.
Persistence & Privilege
Skill is not forced-always or otherwise privileged. It can invoke other skills (expected for orchestration). It does not request to modify other skills' configs; scripts it calls may modify the repo, but many steps use dry-run/--stdout patterns or are read-only in the provided instructions.
Assessment
This skill appears coherent for repository-level plugin audits. Important cautions before running: 1) Many checks run repository tests and scripts (make test, python scripts). Those can execute arbitrary code or perform network I/O from the reviewed repo — run in an isolated/sandboxed CI worker or container when reviewing untrusted repositories. 2) The skill invokes other evaluation skills (skills-eval, hooks-eval, rules-eval); ensure those skills are installed and trusted. 3) Review any repo scripts the skill will call (update_plugin_registrations.py, generate_dependency_map.py, test suites) if you need to prevent side effects; prefer --dry-run/--stdout options or run with restricted permissions. 4) No external credentials are requested by the skill itself, but test suites or scripts in the repo could be written to read environment variables — avoid running on hosts with sensitive env vars mounted.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
Confignight-market.skills-eval, night-market.hooks-eval, night-market.rules-eval
latestvk9724fagcxy2yjyzcyx9ct977984kvfw
76downloads
0stars
2versions
Updated 1w ago
v1.8.3
MIT-0
@athola
latest
Download

Night Market Skill — ported from claude-night-market/abstract. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Plugin Review

Tiered quality review of plugins with dependency-aware scoping.

Table of Contents

Tiers

TierTriggerScopeDepthDuration
branchDefaultAffected + relatedQuick gates~2 min
prBefore mergeAffected + relatedStandard~5 min
releaseBefore version bumpAll 17 pluginsFull~15 min

Orchestration

  1. Detect scope: parse --tier flag, find affected plugins from git diff, resolve related plugins from docs/plugin-dependencies.json
  2. Plan: build check matrix (tier x plugin x role)
  3. Execute: run checks per tier definition
  4. Report: per-plugin table, aggregate verdict

Scope Detection

Affected plugins: git diff main --name-only filtered to plugins/*/.

Related plugins: load docs/plugin-dependencies.json, look up each affected plugin's reverse index to find dependents. Mark as "related" (lighter checks).

If --tier release or no git diff available, scope to all plugins.

Module Loading

  • Always: this SKILL.md (orchestration logic)
  • branch tier: load modules/tier-branch.md
  • pr tier: load modules/tier-branch.md then modules/tier-pr.md
  • release tier: load all tier modules plus modules/tier-release.md
  • When resolving deps: load modules/dependency-detection.md

Verdict

ResultMeaning
PASSAll checks green
PASS-WITH-WARNINGSNon-blocking issues
FAILBlocking issues found

Output Format

Plugin Review (<tier> tier)
Affected: <list>
Related:  <list> (<reason>)

Plugin          test  lint  type  reg   verdict
<name>          PASS  PASS  PASS  PASS  PASS
...

Verdict: <PASS|PASS-WITH-WARNINGS|FAIL> (N/N plugins healthy)

PR and release tiers add scorecard sections.

Quality Gate Mode

The --quality-gate flag enables CI/CD integration with exit codes that distinguish warnings from failures:

  • 0: all quality gates passed
  • 1: warnings present but gates passed (non-blocking)
  • 2: quality gate failures (blocking)
  • 3: critical issues found (blocking)

Use --fail-on warning to treat warnings as blocking.

Configuration

Place a .plugin-review.yaml file in the plugin root to customize thresholds and focus areas:

plugin_review:
  quality_gates:
    structure_min: 80
    skills_min: 75
    hooks_min: 70
    tokens_max_total: 50000
    bloat_max_percentage: 15
  focus_areas:
    - skills
    - hooks
    - tokens
  exclude_patterns:
    - "*/legacy/*"
    - "*/deprecated/*"
  severity_overrides:
    missing_description: warning
    large_file: info

See the /plugin-review command reference for full usage examples.

Comments

Loading comments...