Sonarqube Analyzer
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to query a configured SonarQube server and report issues as advertised, but it can use a SonarQube token so users should verify the host and token scope.
This looks safe to install for its stated SonarQube-analysis purpose. Before using it, confirm the SonarQube host URL, provide only a limited-scope token, and remember that reports may include project names, file paths, issue messages, and quality-gate details from your SonarQube instance.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a real token, the agent can use that token to read SonarQube issue and quality-gate information for requested projects.
The skill can use a SonarQube authentication token when calling the configured SonarQube API. This is expected for the stated purpose, but it is still delegated account access.
const SONAR_TOKEN = process.env.SONAR_TOKEN || 'admin'; ... headers['Authorization'] = `Basic ${Buffer.from(`${SONAR_TOKEN}:`).toString('base64')}`;Use a least-privileged SonarQube token, verify `SONAR_HOST_URL` points to your intended server, and avoid using broad admin tokens.