ClawHub

codebase-stats

v1.0.0

Analyze project metrics: lines of code, language distribution, function complexity, code-to-comment ratio, test coverage indicators, dependency counts, large...

0· 58·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included Python scanner. The script implements LOC, language detection, simple complexity heuristics, dependency counts, and TODO/FIXME scanning — all expected for a 'codebase-stats' tool. No unrelated credentials, binaries, or cloud access are requested.
Instruction Scope
SKILL.md instructs running the included Python script on a target directory and offers output formats (markdown/json). The runtime instructions and the script operate on repository files and manifest files only; they do not instruct the agent to read unrelated system config or call external endpoints.
Install Mechanism
No install specification and the tool is pure Python with no external dependencies per SKILL.md and the script header. This reduces risk because nothing is downloaded or written to disk beyond running the provided script.
Credentials
The skill requires no environment variables, credentials, or special config paths. The script reads local project files (package.json, requirements.txt, go.mod, Cargo.toml, source files) which is appropriate for its purpose.
Persistence & Privilege
The skill is not always-on and uses normal model invocation. It does not appear to modify agent/system configuration or request persistent privileges.
Assessment
The tool appears coherent and limited to local repository analysis, but it reads many files in the target directory — do not run it directly on repositories containing secrets or private credentials. Because the provided source in the prompt was truncated, review the full script before use (search for any network/socket/file-write code or subprocess.exec calls). Run it in an isolated environment or on a copy of the repo first, and inspect reported outputs to ensure no sensitive content is included in generated reports.

Like a lobster shell, security has layers — review code before you run it.

latestvk973svqt046x7ews87kzhf28kd84n6ks

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments