ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Pensive Rust Review

v1.0.0

Rust code audit: unsafe blocks, ownership patterns, and Cargo dependency security scanning

0· 51·1 current·1 all-time
by@athola
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and modules align with a Rust audit (ownership, unsafe, dependency scanning). However the SKILL.md expects running cargo commands (cargo audit/tree/outdated) and a CLI-style invocation (/rust-review) yet the registry metadata lists no required binaries — a small mismatch. Also the declared required config paths (night-market.pensive:shared, night-market.imbue:proof-of-work) are not explained by the audit purpose and look unrelated.
Instruction Scope
Runtime instructions focus on code review steps (ownership, unsafe, concurrency, cargo audits) and recommend running local cargo tools and recording an evidence log. They do not instruct reading unrelated system files or contacting external endpoints; the scope stays within reviewing source and running local tooling.
Install Mechanism
This is instruction-only with no install spec and no code files to write to disk, which is the lowest-risk install mechanism. The SKILL.md mentions (optionally) an external 'Claude Code' plugin for additional features, which would be a separate install and should be inspected separately.
!
Credentials
No environment variables or credentials are requested (good), but the two required config paths (night-market.pensive:shared and night-market.imbue:proof-of-work) are unexpected for a Rust code auditor and are not justified in the documentation. The 'proof-of-work' config name in particular is opaque and may indicate access to unrelated agent configuration — ask what those configs contain and why they're required.
Persistence & Privilege
The skill does not request always:true and is user-invocable (normal). It does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed by default but is not combined here with broad credentials or always:true.
What to consider before installing
This skill appears to be a coherent Rust code-audit instruction pack, but check two things before installing: (1) confirm why it requires the config paths night-market.pensive:shared and night-market.imbue:proof-of-work — ask the publisher what data those configs contain and whether they grant access to unrelated settings, and (2) ensure your environment has the expected local tools (cargo, cargo-audit, cargo-outdated, cargo-deny) because the SKILL.md expects running those commands even though no binaries are declared. Also be cautious about installing the separate 'Claude Code' plugin the README mentions—treat that as a separate component to vet because it may add hooks or networked features.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔍 Clawdis
Confignight-market.pensive:shared, night-market.imbue:proof-of-work
latestvk97dv89qf18r30v1pj4ztpx9eh84w6sv
51downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
@athola
latest
Download

Night Market Skill — ported from claude-night-market/pensive. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Table of Contents

Rust Review Workflow

Expert-level Rust code audits with focus on safety, correctness, and idiomatic patterns.

Quick Start

/rust-review

Verification: Run the command with --help flag to verify availability.

When To Use

  • Reviewing Rust code changes
  • Auditing unsafe blocks
  • Analyzing concurrency patterns
  • Dependency security review
  • Performance optimization review

When NOT To Use

  • General code review without Rust - use unified-review
  • Performance profiling - use parseltongue:python-performance pattern

Required TodoWrite Items

  1. rust-review:ownership-analysis
  2. rust-review:error-handling
  3. rust-review:concurrency
  4. rust-review:unsafe-audit
  5. rust-review:cargo-deps
  6. rust-review:evidence-log

Progressive Loading

Load modules as needed based on review scope:

Quick Review (ownership + errors):

  • See modules/ownership-analysis.md for borrowing and lifetime analysis
  • See modules/error-handling.md for Result/Option patterns

Concurrency Focus:

  • See modules/concurrency-patterns.md for async and sync primitives

Safety Audit:

  • See modules/unsafe-audit.md for unsafe block documentation

Dependency Review:

  • See modules/cargo-dependencies.md for vulnerability scanning

Idiomatic Patterns:

  • See modules/builtin-preference.md for conversion traits and builtin preference

Core Workflow

  1. Ownership Analysis: Check borrowing, lifetimes, clone patterns
  2. Error Handling: Verify Result/Option usage, propagation
  3. Concurrency: Review async patterns, sync primitives
  4. Unsafe Audit: Document invariants, FFI contracts
  5. Dependencies: Scan for vulnerabilities, updates
  6. Evidence Log: Record commands and findings

Rust Quality Checklist

Safety

  • All unsafe blocks documented with SAFETY comments
  • FFI boundaries properly wrapped
  • Memory safety invariants maintained

Correctness

  • Error handling complete
  • Concurrency patterns sound
  • Tests cover critical paths

Performance

  • No unnecessary allocations
  • Borrowing preferred over cloning
  • Async properly non-blocking

Idioms

  • Standard traits implemented
  • Conversion traits preferred over helper functions
  • Error types well-designed
  • Documentation complete

Output Format

## Summary
Rust audit findings

## Ownership Analysis
[borrowing and lifetime issues]

## Error Handling
[error patterns and issues]

## Concurrency
[async and sync patterns]

## Unsafe Audit
### [U1] file:line
- Invariants: [documented]
- Risk: [assessment]
- Recommendation: [action]

## Dependencies
[cargo audit results]

## Recommendation
Approve / Approve with actions / Block

Verification: Run the command with --help flag to verify availability.

Exit Criteria

  • All unsafe blocks audited
  • Concurrency patterns verified
  • Dependencies scanned
  • Evidence logged
  • Action items assigned

Troubleshooting

Common Issues

Command not found Ensure all dependencies are installed and in PATH

Permission errors Check file permissions and run with appropriate privileges

Unexpected behavior Enable verbose logging with --verbose flag

Comments

Loading comments...