ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Conserve Bloat Detector

v1.0.0

Detect codebase bloat via progressive analysis: dead code, duplication, complexity, and doc bloat

0· 64·1 current·1 all-time
by@athola
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match the actions in SKILL.md: scanning repo files, git history, dependency checks and doc analysis. However, the skill is instruction-only but frequently references scripts (e.g., plugins/conserve/scripts/detect_duplicates.py) and CLI tools (vulture, knip, jq, npm) that are not included or declared as required in the registry metadata — this is plausible for an instructions-only tool but is an inconsistency the user should understand.
Instruction Scope
SKILL.md instructs the agent to run many local shell/git commands that read the codebase, write to /tmp, create backup branches, and optionally call networked package registries (npm view). All of this is coherent with bloat detection. Concerns: some example commands reference files/scripts not present in the skill bundle (so the agent may fail or attempt to call components from the user's environment), and Tier 2 snippets assume availability of external tools — the instructions do not strictly limit actions to the declared artifacts.
Install Mechanism
No install spec (instruction-only), which minimizes direct install risk. But the modules assume optional external tools (vulture, knip, autoflake, jq, npm) with example shell invocations. The skill does not provide an installer or verify tool availability beyond showing commands, so the agent or user will need to provide those tools separately.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The operations are local (filesystem and git). This is proportionate to the stated purpose. Note: git operations may interact with remotes if the user pushes; the skill itself does not request remote credentials.
Persistence & Privilege
always:false and no autonomous elevation are set. The skill explicitly states 'Never auto-delete' and requires approval for changes; remediation auto-approval levels are documented and default to prompting. No persistent installation actions or cross-skill modifications are present.
What to consider before installing
This skill looks like a coherent code-bloat detector, but treat it as documentation/instructions rather than a self-contained tool. Before running: 1) Verify the referenced helper scripts (e.g., plugins/conserve/scripts/...) exist in the workspace or that you have an implementation to run; many example commands assume files not bundled with the skill. 2) Ensure required CLI tools (git, python, pip, npm, jq, vulture/knip/autoflake for Tier 2) are installed — the skill lists them in examples but registry metadata doesn't mark any binaries as required. 3) Use --dry-run and create a local clone/backup branch before executing remediation steps; the skill may create branches and suggest DELETE/REFACTOR actions. 4) Check minor metadata mismatches (SKILL.md version differs from registry metadata) and confirm you understand which agent/plugin (Claude Code) or external scripts provide full functionality. 5) Do not run bulk remediation on production branches without manual review — the skill documents safety gates, but the agent will execute local shell/git commands and could modify the repo if you approve actions.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
latestvk9735vrthah8dnetk0rmah2dcx84m923
64downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@athola
latest
Download

Night Market Skill — ported from claude-night-market/conserve. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Table of Contents

Bloat Detector

Systematically detect and eliminate codebase bloat through progressive analysis tiers.

Bloat Categories

CategoryExamples
CodeDead code, God classes, Lava flow, duplication
AI-GeneratedTab-completion bloat, vibe coding, hallucinated deps
DocumentationRedundancy, verbosity, stale content, slop
DependenciesUnused imports, dependency bloat, phantom packages
Git HistoryStale files, low-churn code, massive single commits

Quick Start

Tier 1: Quick Scan (2-5 min, no tools)

/bloat-scan

Detects: Large files, stale code, old TODOs, commented blocks, basic duplication

Tier 2: Targeted Analysis (10-20 min, optional tools)

/bloat-scan --level 2 --focus code   # or docs, deps

Adds: Static analysis (Vulture/Knip), git churn hotspots, doc similarity

Tier 3: Deep Audit (30-60 min, full tooling)

/bloat-scan --level 3 --report audit.md

Adds: Cross-file redundancy, dependency graphs, readability metrics

When To Use

DoDon't
Context usage > 30%Active feature development
Quarterly maintenanceTime-sensitive bugs
Pre-release cleanupCodebase < 1000 lines
Before major refactoringTools unavailable (Tier 2/3)

When NOT To Use

  • Active feature development
  • Time-sensitive bugs
  • Codebase < 1000 lines

Confidence Levels

LevelConfidenceAction
HIGH90-100%Safe to remove
MEDIUM70-89%Review first
LOW50-69%Investigate

Prioritization

Priority = (Token_Savings × 0.4) + (Maintenance × 0.3) + (Confidence × 0.2) + (Ease × 0.1)

Module Architecture

Tier 1 (always available):

  • See modules/quick-scan.md - Heuristics, no tools
  • See modules/git-history-analysis.md - Staleness, churn, vibe coding signatures
  • See modules/growth-analysis.md - Growth velocity, forecasts, threshold alerts

Tier 2 (optional tools):

  • See modules/code-bloat-patterns.md - Anti-patterns (God class, Lava flow)
  • See modules/ai-generated-bloat.md - AI-specific patterns (Tab bloat, hallucinations)
  • See modules/documentation-bloat.md - Redundancy, readability, slop detection
  • See modules/static-analysis-integration.md - Vulture, Knip

Shared:

  • See modules/remediation-types.md - DELETE, REFACTOR, CONSOLIDATE, ARCHIVE

Auto-Exclusions

Always excludes: .venv, __pycache__, .git, node_modules, dist, build, vendor

Also respects: .gitignore, .bloat-ignore

Safety

  • Never auto-delete - all changes require approval
  • Dry-run support - --dry-run for previews
  • Backup branches - created before bulk changes

Related

  • bloat-auditor agent - Executes scans
  • unbloat-remediator agent - Safe remediation
  • context-optimization skill - MECW principles

Comments

Loading comments...