ClawHub
Back to skill
v1.0.1

zxz-test

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:24 AM.

Analysis

This is a coherent instruction-only code review helper that reads the current Git diff; users should mainly be aware that local uncommitted code may enter the review context.

GuidanceThis skill appears safe for its stated purpose. Before installing or invoking it, be aware that it reviews your staged or unstaged Git diff, so any private code or secret values present in those changes may be included in the agent's context.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
执行 `git diff --staged` 获取暂存区的变更。如果为空,回退到 `git diff` 获取未暂存的变更。

This directs the agent to run local Git commands and read staged or unstaged diffs. The commands are read-only and directly support the stated review purpose, but the diff may include private code or accidentally exposed secrets.

User impactWhen invoked, the agent may read your current uncommitted code changes to perform the review.
RecommendationUse it only in repositories where you are comfortable having the current diff reviewed, and avoid including secrets in diffs.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Required binaries (all must exist): none; Required binaries (at least one): none

The metadata does not declare Git as a required binary, while SKILL.md instructs use of `git diff`. This is a small dependency-declaration gap, not evidence of hidden installation or unsafe code.

User impactThe skill may fail or behave unexpectedly on systems where Git is unavailable.
RecommendationEnsure Git is installed before using the skill; maintainers should declare Git as a required binary if the registry supports it.