Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
C++ Code Review Master
v1.0.0组合式 C++ 代码评审方案 — 融合静态分析、AI 推理、多轮迭代评审、C++ 专项检查。 适用于:PR review、增量代码审查、全量项目评审、代码质量评分。 触发词:review cpp、cpp 代码评审、C++ review、代码审查。
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (C++ code review) align with the instructions: local regex checks, three AI reviewers, reporting and optional auto-fix. Declared dependent sub-skills (cpp, code-review-sr, iterative-code-review, modified-code-review, code-review-fix) fit the stated architecture.
Instruction Scope
SKILL.md instructs the agent to collect code context (files/dirs/git diff/PR via `gh`/`git`), run local regex/static checks, spawn three reviewer subagents, aggregate results and optionally apply fixes. That scope matches the stated purpose, but the handbook also mentions optional external model usage (ANTHROPIC_API_KEY) — which means code and diffs could be sent to an external API if the user enables that mode. The skill claims a default 'local analysis mode' for not sending code externally, but that choice is left to runtime configuration.
Install Mechanism
Instruction-only skill with no install spec and no included binaries or artifacts. This is the lowest-risk install model and matches the provided files and usage.
Credentials
The skill metadata declares no required env vars, which is reasonable for local-only operation. However HANDBOOK.md references optional environment variables (ANTHROPIC_API_KEY, OLLAMA_HOST) to enable AI reviewers — those are not declared in requires.env. This is not necessarily malicious, but it's an inconsistency you should be aware of: enabling AI review with an API key could transmit code to external services.
Persistence & Privilege
always is false and the skill does not request elevated or permanent platform privileges. It may spawn subagents (normal for multi-reviewer design) and can modify files only via the optional auto-fix flow, which the docs state requires user confirmation by default.
Assessment
This skill appears to do what it advertises (local static regex checks + multi-reviewer AI analysis + optional fixes). Before installing or using it: 1) Confirm the required sub-skills (cpp, code-review-sr, iterative-code-review, modified-code-review, code-review-fix) are trusted and available; the package lists them but does not ship their code here. 2) If you do not want your source code sent to third-party models, do NOT set external API keys (e.g., ANTHROPIC_API_KEY) and prefer a local model (OLLAMA_HOST) or local-only mode. 3) Auto-fix operations can modify files and potentially run git commits — keep 'safety mode' enabled and review fixes before applying, and try on non-sensitive repositories first. 4) Note the small metadata inconsistency: optional envs are mentioned in docs but not declared in requires.env; verify runtime prompts and permissions the first time you invoke the skill. If you want higher assurance, inspect or vet the dependent sub-skills' sources and test the skill on sample code before using it on production repositories.Like a lobster shell, security has layers — review code before you run it.
latestvk97054ny3k4nj3x86r2sbcs1q984c8x5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis