code

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a benign instruction-only code review skill, with a noteworthy but purpose-aligned allowance for local file reading/searching and shell use during reviews.

This skill appears safe for normal code review use. Before installing, note that it can read/search local project files and has Bash available, so keep its use scoped to intended repositories and approve any command execution that could change files, run untrusted code, or access the network.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

The skill may inspect project files and could run local commands during a review if the agent chooses to use Bash.

Why it was flagged

The skill explicitly grants local file-reading/search tools and Bash. These are useful for code review but Bash is a broad tool that can run arbitrary local commands if misused.

Skill content

allowed-tools:
  - Read
  - Grep
  - Glob
  - Bash

Recommendation

Use it on repositories you intend to review, and require clear user approval before running tests, linters, build commands, or any command that modifies files or contacts external services.