ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Review Automation

v1.0.2

Automated code review for GitHub pull requests using Claude LLM. PR analysis, security scanning, and style checking.

0· 165·1 current·1 all-time
by@hirofumiko
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and included Python code clearly implement GitHub and Anthropic (Claude) integrations and require GITHUB_TOKEN and ANTHROPIC_API_KEY, but the registry metadata declares no required environment variables or credentials and states 'instruction-only'. The package contains many code files (Py modules, CLI, clients, scanners) rather than being a pure instruction-only skill — this mismatch is an incoherence you should question.
!
Instruction Scope
Runtime instructions and the code will read a .env file and environment variables (GITHUB_TOKEN, ANTHROPIC_API_KEY) and will fetch PR diffs and send diff content to Anthropic (external LLM) for analysis. The ConfigManager auto-discovers config files by searching up to 10 parent directories, which increases filesystem exposure. The behavior (transmitting repository code to an external API, reading config files outside the current repo) is consistent with the tool's purpose but is sensitive and wider-scoped than the registry metadata indicates.
Install Mechanism
There is no install spec in the registry (low-risk), but SKILL.md instructs users to pip-install dependencies (PyGithub, anthropic, rich, typer, python-dotenv). That is typical but the SKILL.md also uses the 'uv' wrapper in examples (e.g., 'uv pip install', 'uv run'), which is unusual and may require an additional tool. No downloads from arbitrary URLs or extract steps were found in the provided files.
!
Credentials
The skill legitimately needs a GitHub PAT and an Anthropic API key for full functionality, and the code reads those from a .env in the skill directory. However, the registry metadata omitted these required env vars (incoherent). The tool's config discovery (searching parent directories) and any logging that writes to disk increase the chance of exposing other local secrets if misconfigured. The number and type of secrets requested (GITHUB_TOKEN, ANTHROPIC_API_KEY) are proportionate to the claimed functionality, but the omission from metadata is a red flag.
Persistence & Privilege
The skill does not request always: true and does not modify other skills. It can read and write configuration (.reviewrc) in the current directory and will auto-discover config files across parent directories (up to 10 levels). That behavior is plausible for a CLI tool but expands filesystem reach and should be considered when running in sensitive directories.
What to consider before installing
Key things to consider before installing or running: - Metadata mismatch: The registry lists no required environment variables, but SKILL.md and the code require GITHUB_TOKEN and ANTHROPIC_API_KEY. Ask the publisher to correct the registry metadata before trusting automatic installs. - Secrets: This tool will read a .env file and environment variables; do NOT use long-lived or organization-wide GitHub tokens. Create a least-privilege PAT (limit to the minimum repo access) or a repo-scoped token, and prefer revocable/ephemeral credentials. Treat the Anthropic key similarly. - Data exfiltration surface: The tool will send PR diffs / source code to Anthropic (Claude). If your repository contains sensitive code or secrets, be aware you are transmitting that content to an external LLM provider. - Config discovery: ConfigManager searches up to 10 parent directories for .reviewrc / review config files — run the tool from a safe, repository-root directory so it doesn't accidentally read unrelated config files or secrets in parent directories. - Run in an isolated environment: Install dependencies in a virtualenv or container. The SKILL.md uses 'uv', which is nonstandard; verify what 'uv' is and prefer a standard pip/venv workflow. - Review code locally: You have the code bundle — inspect or run tests locally. The included modules (github_client, claude_client, security_scanner) implement the described behavior; no obvious obfuscated exfil endpoints were found in the provided excerpts, but review the remaining truncated files for any unexpected network requests or hardcoded endpoints before use. - Limit logging & outputs: Do not log tokens; prefer environment variables over committing .env; check logger configuration to avoid writing sensitive content to disk or remote services. - If you need LLM-based analysis but cannot expose source, consider running the tool with --skip-llm or running security/style checks only, or use a local/approved LLM endpoint. If you want, I can: (1) scan the remaining truncated files for network calls or suspicious code patterns, (2) extract exact code locations where data is sent to Anthropic/GitHub so you can review the payloads, or (3) produce a minimal threat checklist you can follow before granting credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk979k2jhx9e0245mtdjga7n6p582x5yf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments